Integrating new GSSAPI mechanism

Simon Wilkinson simonxwilkinson at gmail.com
Sat Sep 1 04:20:14 AEST 2018


> On 31 Aug 2018, at 17:51, Ondřej Velíšek <ondrejvelisek at gmail.com> wrote:
> 
> I'm suffering with integration of new GSSAPI mechanism to OpenSSH. Its
> a diploma thesis which part is to proof working of new authentication
> mechanism with ssh.
> What I do not understand is how SSH is choosing the final mechanism to
> use. It has just yes/no option in config. Does OpenSSH have a general
> support of GSSAPI?
> Or lets reduce it to more common question. What is a recomended way to
> use different implementation of Kerberos? (Heimdal, Shishi).

These are actually different questions. GSSAPI authentication mechanisms are identified by OID, so different mechanisms have different OIDs - Kerberos has one, GSI another and so on. Different implementations of Kerberos, on the other hand, all use the same OID.

To change Kerberos implementation you simply have to link against a different GSSAPI library. To add a new mechanism, you either need to link against it directly, or add it to something like MIT’s mechglue.

On the client side OpenSSH interrogates the GSSAPI library for all of the supported mechanisms and negotiates with the server which one to use. Clients can support any GSSAPI mechanism without modification.

On the server side there is a list of supported mechanisms. This is because we need a way of determining how to translate a GSS identity to a Unix username which is mechanism specific. That list is in gss-serv.c. To get server support, you would need to add your new mechanism to that list.

Cheers,

Simon


More information about the openssh-unix-dev mailing list