HostKey Management

Daniel Kahn Gillmor dkg at
Fri Jan 18 04:03:24 EST 2013

On 01/17/2013 11:08 AM, Mike Kelly wrote:
> Two people replied to me off-list to mention GSSAPIKeyExchange, which
> seems to be part of some patches that aren't in the main OpenSSH
> distribution (yet?), with this being their source, as far as Google can
> tell me:
> Those don't seem to have been updated for versions 5.8, 5.9, 6.0, or
> 6.1, though... so I guess it's been abandoned?

GSSAPIKeyExchange is included in the debian packaging of OpenSSH (has
been for several years now) and i can verify that it works with 6.0 (i
haven't tried 6.1 yet, which is in debian's experimental repository).

If the "official" GSSAPIKeyExchange patches aren't explicitly updated
for your preferred version, you might want to look at the patches as
applied in debian's openssh packages (even if you don't use debian).

> Also, as far as I'm aware (though, maybe I've just not learned enough
> about Kerberos), using Kerberos basically requires someone to
> interactively (and somewhat regularly) kinit, to get fresh credentials.
> For a situation where you want to allow various servers to talk to each
> other over an SSH channel, without any direct human intervention (e.g.
> cron jobs, etc)... it seems that would rule out Kerberos completely?
> But, maybe there's "something" that I'm missing, that would allow
> Kerberos to be used like Public Keys can be now?

i think the thing you're interested in is kerberos keytabs.  You'd use
the keytab file to initialize your kerberos credentials cache, and then
rely on that credentials cache to bootstrap the GSSAPIKeyExchange.  This
can all be done in an automated fashion (as long as your KDC is online
and available)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list