Help wanted with GSSAPI in OpenSSH
Nico Williams
nico at cryptonector.com
Sat Dec 13 07:28:36 AEDT 2025
On Fri, Dec 12, 2025 at 01:52:32PM -0600, Nico Williams wrote:
> I have (and in principle still do) maintain GSS-KEX patches w/
> gssapi-keyex userauth support, which I understand you'll never adopt.
> Viktor Dukhovni and I contributed client-side patches for that to PuTTY,
> and those patches were integrated. In particular those patches enable
> to client to delegate fresh credentials before the previously delegated
> ones expire, thus keeping the user's server-side session supplied with
> fresh credentials. But...
I should add that a) we call this "credentials cascading" because it
would work for as many hops as one might like, b) it can only work today
by using GSS-KEX re-keys to send fresh credentials, which is why those
patches use GSS-KEX. This was a very nice feature to have as long as it
was tractable to patch clients and servers to support it. In the brave
new world where we have very few systems that our users can login to
interactively this becomes less useful to us, but I'm sure it would
still be useful for many others.
Nico
--
More information about the openssh-unix-dev
mailing list