Simon's Musings

July 26, 2009

GSSAPI Key Exchange for OpenSSH 5.2p1

Filed under: openssh — sxw @ 1:39 pm
Tags: , ,

After far too much delay, I’ve finally released a version of my GSSAPI key exchange patches for OpenSSH 5.2p1. These patches contain a number of changes suggested by Greg Hudson to fix a number of minor issues he found during a code review, and also add a new GSSAPIClientIdentity option.

I’ve also taken this opportunity to improve the way I’m handling the patch series. Each individual change is now a separate patch, with the whole patch queue being managed by quilt. This should make it easier to sync patches up with the copies in the OpenSSH bugzilla.

The announcement email read as follows:

Somewhat belatedly, I’m pleased to announce the availability of my GSSAPI key exchange patches for OpenSSH 5.2p1. Apologies for the delay in getting these out, a honeymoon, followed by the pressure of work, made the first half of this year rather busy!

Whilst OpenSSH contains support for GSSAPI user authentication, this still relies upon SSH host keys to authenticate the server to the user. For sites with a deployed Kerberos infrastructure this adds an additional, unnecessary, key management burden. GSSAPI key exchange allows the use of security mechanisms such as Kerberos to authenticate the server to the user, removing the need for trusted ssh host keys, and allowing the use of a single security architecture.

This patch adds support for the RFC4462 GSSAPI key exchange mechanisms to OpenSSH, along with adding some additional, generic, GSSAPI features. It implements
*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key  exchange mechanisms. (#1242)
*) Support for the null host key type (#1242)
*) Support for CCAPI credentials caches on Mac OS X (#1245)
*) Support for better error handling when an authentication exchange fails due to server misconfiguration (#1244)
*) Support for GSSAPI connections to hosts behind a round-robin  load balancer (#1008)
*) Support for GSSAPI connections to multi-homed hosts, where each interface has a unique name (#928)
*) Support for cascading credentials renewal

( bug numbers are in brackets)

Since the last release

Greg Hudson, of the Kerberos Consortium, kindly performed a code review of this patch at the beginning of the year. This release addresses a number of minor issues he identified. In addition a new option “GSSAPIClientIdentity” is implemented. This allows the user to set which GSSAPI identity should be used to contact a particular host – it will only work on systems whose Kerberos libraries support the concept of multiple identities (such as Mac OS X). Cascading credentials renewal is now supported as part of the main patch.

As usual, the code is available from

Two patches are available, one containing cascading credentials support, and one without. In addition, the quilt patch series that makes up this release is also provided, for those who wish to pick and choose!

Sorry once again for the delay, and thanks to all those who have been patiently waiting (and nagging) for me to get this out.

Theme: Rubric.