[28512] in Kerberos
Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Mon Oct 1 04:10:19 2007
In-Reply-To: <46FD7176.3020108@anl.gov>
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <C7136D4F-2F88-4775-A63B-91FB77B68B5B@jpl.nasa.gov>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 1 Oct 2007 01:08:55 -0700
To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
Cc: Simon Wilkinson <sxw@inf.ed.ac.uk>, openssh-unix-dev@mindrot.org,
kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
That does sound interesting. Count me in.
On Sep 28, 2007, at 2:26 PM, Douglas E. Engert wrote:
> Sounds interesting. And yes, I would be interested in
> the cascading credentials delegation code. Does the
> delegation code depend on the key exchange code?
>
> What would it take to get both of these in to PuTTY?
>
>
> Simon Wilkinson wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hi,
>> I'm pleased to (finally) announce the availability of my GSSAPI
>> Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains
>> support for doing GSSAPI user authentication, this only allows
>> the underlying security mechanism to authenticate the user to the
>> server, and continues to use SSH host keys to authenticate the
>> server to the user. For many sites who already have security
>> infrastructures such as Kerberos deployed, managing large numbers
>> of SSH host keys is an additional, unneccessary, burden. GSSAPI
>> key exchange allows the use of security mechanisms such as
>> Kerberos to authenticate the server to the user, removing the
>> need for trusted ssh host keys, and allowing the use of a single
>> security architecture.
>> This patch adds support for the RFC4462 GSSAPI key exchange
>> mechanisms to OpenSSH, along with adding some additional features
>> to the GSSAPI code that is already in the tree.
>> The patch implements:
>> *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-*
>> key exchange mechanisms. (#1242)
>> *) Support for the null host key type (#1242)
>> *) Support for CCAPI credentials caches on Mac OS X (#1245)
>> *) Support for better error handling when an authentication
>> exchange fails due to server misconfiguration (#1244)
>> *) Support for GSSAPI connections to hosts behind a round-
>> robin load balancer (#1008)
>> *) Support for GSSAPI connections to multi-homed hosts, where
>> each interface has a unique name (#928)
>> (bugzilla.mindrot.org bug numbers are in brackets)
>> There are no code changes since the previous release.
>> As usual, the code is available from
>> http://www.sxw.org.uk/computing/patches/openssh.html
>> I'm also interesting in hearing from people who might be
>> interested in testing some new cascading credentials delegation
>> code. When you renew your Kerberos credentials on the client,
>> this code will automatically propagate these renewed credentials
>> to the server, allowing the seamless renewal of credentials
>> across ssh sessions distributed across many different machines.
>> If you have an interest in testing this code in a non-production
>> environment, please let me know!
>> Cheers,
>> Simon.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos