Help wanted with GSSAPI in OpenSSH
Damien Miller
djm at mindrot.org
Thu Dec 11 11:23:45 AEDT 2025
Hi,
This is a request for assistance in maintaining the GSSAPI code in
OpenSSH.
None of the maintainers have much experience with GSSAPI and none of
us use it in our usual use of OpenSSH. We don’t have *any* testing of
GSSAPI features in our unit test suite, let alone fuzzer coverage.
GSSAPI code is complex and largely pre-authentication, so mistakes there
have the potential to yield serious vulnerabilities. Because we really
don’t want to introduce such a bug, myself and the other maintainers are
very hesitant to make or merge changes in this area.
This isn’t a sustainable situation - a whole area of preauth code that
is not adequately tested or maintained is at the same time an accident
waiting to happen and a case where we’re not serving our users properly.
There are two paths out of this situation: either 1) we deprecate and
ultimately remove the GSSAPI code as unmaintained or 2) we greatly
improve the testing and maintenance of the code.
There is a substantial user community who depend on GSSAPI out there, so
I’m hoping the second path is viable.
Our most pressing need is testing - we have no regression tests that
exercise the common GSSAPI authentication and authorisation flows. Is
anyone willing to help write such tests? If so, please let us know and
we can talk about next steps.
Thanks,
Damien
More information about the openssh-unix-dev
mailing list