Simon's Musings

January 24, 2010

GSSAPI Key Exchange for OpenSSH 5.3p1

Filed under: Uncategorized — sxw @ 12:00 pm

Once again, far far later than I would have liked, I’ve produced a set of updated patches for OpenSSH 5.3p1. Compared to previous releases this one is pretty simple – a resolved merge conflict, and a few one line patches. However, I really need to get quicker at doing these – it’s 4 months since 5.3p1 appeared, and 5.4 will be just around the corner. The announcement email was:

From the better-late-than-never-department, I’m pleased to announce the availability of my GSSAPI Key Exchange patches for OpenSSH 5.3p1. This is a pretty minor maintenance release – it contains a couple of fixes to take into account changes to the underlying OpenSSH code, and a compilation fix for when GSSAPI isn’t required. Thanks to Colin Wilson and Jim Basney for their bug reports.

I’d like to thank the distributors who’ve been patiently waiting for me to get this done – sorry once again for the delay.

Whilst OpenSSH contains support for GSSAPI user authentication, this still relies upon SSH host keys to authenticate the server to the  user. For sites with a deployed Kerberos infrastructure this adds an additional, unnecessary, key management burden. GSSAPI key exchange allows the use of security mechanisms such as Kerberos to authenticate the server to the user, removing the need for trusted ssh host keys, and allowing the use of a single security architecture.

This patch adds support for the RFC4462 GSSAPI key exchange mechanisms to OpenSSH, along with adding some additional, generic, GSSAPI features. It implements:

*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. (#1242)
*) Support for the null host key type (#1242)
*) Support for CCAPI credentials caches on Mac OS X (#1245)
*) Support for better error handling when an authentication exchange fails due to server misconfiguration (#1244)
*) Support for GSSAPI connections to hosts behind a round-robin load balancer (#1008)
*) Support for GSSAPI connections to multi-homed hosts, where each interface has a unique name (#928)
*) Support for cascading credentials renewal
*) Support for the GSSAPIClientIdentity option, to allow the user to select which client identity to use when authenticating to a server.

( bug numbers are in brackets)

As usual, the code is available from

Two patches are available, one containing cascading credentials support, and one without. In addition, the quilt patch series that makes up this release is also provided, for those who wish to pick and choose!



Theme: Rubric.