HostKey Management

Carson Gaspar carson at taltos.org
Fri Jan 18 04:12:19 EST 2013


On 1/17/13 8:08 AM, Mike Kelly wrote:
> Two people replied to me off-list to mention GSSAPIKeyExchange, which
> seems to be part of some patches that aren't in the main OpenSSH
> distribution (yet?), with this being their source, as far as Google can
> tell me:
>
>    http://www.sxw.org.uk/computing/patches/openssh.html
>
> Those don't seem to have been updated for versions 5.8, 5.9, 6.0, or
> 6.1, though... so I guess it's been abandoned?

I hope not. I really hope it makes it into mainline openssh - we rely on 
it heavily, and many vendors ship with that patch (Red Hat does, and 
Oracle has it in their fork).

> Also, as far as I'm aware (though, maybe I've just not learned enough
> about Kerberos), using Kerberos basically requires someone to
> interactively (and somewhat regularly) kinit, to get fresh credentials.
> For a situation where you want to allow various servers to talk to each
> other over an SSH channel, without any direct human intervention (e.g.
> cron jobs, etc)... it seems that would rule out Kerberos completely?
> But, maybe there's "something" that I'm missing, that would allow
> Kerberos to be used like Public Keys can be now?

There are many good docs on KRB5 - I won't try and teach you about it 
here ;-)

Yes, there is a way - local keytabs (analogous to id_dsa), plus 
something like kstart / krenew to keep the credential cache fresh.

-- 
Carson




More information about the openssh-unix-dev mailing list