ANNOUNCE: GSSLib support for OpenSSH (patch)

Simon Josefsson jas at
Wed Sep 17 08:23:46 EST 2003


Based on the GSS userauth code that went into 3.7p1, I have made a
patch to make OpenSSH support an alternative Kerberos 5 implementation
called Shishi, via an alternative GSS-API implementation called GSSLib.

The reason behind this message is mostly to let you know that another
pair of eyes has been reading GSS userauth code in OpenSSH, and my
impression is that it looks pretty good.  I found one instance where
OpenSSH cause the GSS library to follow a dangling pointer and write
to likely unallocated memory (see patch), and several constructs that
aren't likely to work with generic GSS mechanisms (e.g., the flags to
gss_accept_sec_context() are set to 0 by OpenSSH, better would be
GSS_C_MUTUAL_FLAG|GSS_C_INTEG_FLAG since that is what the code later
check for), etc.

Another, more egoistic, purpose is to get people to look at an
alternative GSSAPI and Kerberos 5 implementation.

Caveats: Only client mode is supported; the GSS server code in OpenSSH
require too much non-GSS code that I didn't bother finish it.

More information at <>.


More information about the openssh-unix-dev mailing list