HostKey Management

Mike Kelly mike at
Fri Jan 18 03:08:29 EST 2013

On 01/16/2013 10:40 AM, Mike Kelly wrote:
> As far as I can tell, when working in an environment with many servers,
> there seem to be several ways for your client to authenticate the
> HostKeys of each:
> [...]

Two people replied to me off-list to mention GSSAPIKeyExchange, which
seems to be part of some patches that aren't in the main OpenSSH
distribution (yet?), with this being their source, as far as Google can
tell me:

Those don't seem to have been updated for versions 5.8, 5.9, 6.0, or
6.1, though... so I guess it's been abandoned?

Also, as far as I'm aware (though, maybe I've just not learned enough
about Kerberos), using Kerberos basically requires someone to
interactively (and somewhat regularly) kinit, to get fresh credentials.
For a situation where you want to allow various servers to talk to each
other over an SSH channel, without any direct human intervention (e.g.
cron jobs, etc)... it seems that would rule out Kerberos completely?
But, maybe there's "something" that I'm missing, that would allow
Kerberos to be used like Public Keys can be now?

Mike Kelly

More information about the openssh-unix-dev mailing list