Help wanted with GSSAPI in OpenSSH
Dmitry Belyavskiy
dbelyavs at redhat.com
Thu Dec 11 19:33:54 AEDT 2025
Dear Damien,
Yes, on behalf of Red Hat I express interest on GSSAPI support and would
like to discuss next steps
On Thu, Dec 11, 2025 at 1:25 AM Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> This is a request for assistance in maintaining the GSSAPI code in
> OpenSSH.
>
> None of the maintainers have much experience with GSSAPI and none of
> us use it in our usual use of OpenSSH. We don’t have *any* testing of
> GSSAPI features in our unit test suite, let alone fuzzer coverage.
>
> GSSAPI code is complex and largely pre-authentication, so mistakes there
> have the potential to yield serious vulnerabilities. Because we really
> don’t want to introduce such a bug, myself and the other maintainers are
> very hesitant to make or merge changes in this area.
>
> This isn’t a sustainable situation - a whole area of preauth code that
> is not adequately tested or maintained is at the same time an accident
> waiting to happen and a case where we’re not serving our users properly.
>
> There are two paths out of this situation: either 1) we deprecate and
> ultimately remove the GSSAPI code as unmaintained or 2) we greatly
> improve the testing and maintenance of the code.
>
> There is a substantial user community who depend on GSSAPI out there, so
> I’m hoping the second path is viable.
>
> Our most pressing need is testing - we have no regression tests that
> exercise the common GSSAPI authentication and authorisation flows. Is
> anyone willing to help write such tests? If so, please let us know and
> we can talk about next steps.
>
> Thanks,
> Damien
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Dmitry Belyavskiy
More information about the openssh-unix-dev
mailing list