New GSSAPI Key Exchange patch for OpenSSH 4.2p1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

New GSSAPI Key Exchange patch for OpenSSH 4.2p1

Simon Wilkinson
Hi,

This is to announce the availability of a new version of my GSSAPI key
exchange patch for OpenSSH.

The code is available from
http://www.sxw.org.uk/computing/patches/openssh.html

Changes since the last release are:

   *) Implement GSS group exchange
   *) Disable DNS canonicalization of the hostname passed to the GSSAPI
      library - an option is provided to allow this to be overriden on a
      host by host basis.
   *) Fix the crash when connecting to a server which supports sending a
      hostkey as part of the GSSAPI key exchange.
   *) Make GSS rekeying work when privsep is enabled
   *) Fix incorrect naming of keyex userauth mechanism
   *) Fix client crash when doing key exchange with expired credentials
   *) Assorted buffer initialization fixes

Why Key Exchange?

Whilst OpenSSH contains support for doing GSSAPI user authentication,
this only allows the underlying security mechanism to authenticate the
user to the server, and continues to use SSH host keys to authenticate
the server to the user. For many sites who already have security
infrastructures such as Kerberos deployed, managing large numbers of SSH
host keys is an additional, unneccessary, burden. GSSAPI key exchange
allows the use of security mechanisms such as Kerberos to authenticate
the server to the user, removing the need for trusted ssh host keys, and
allowing the use of a single security architecture.

Cheers,

Simon.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: New GSSAPI Key Exchange patch for OpenSSH 4.2p1

Andreas Hasenack
Em Seg 26 Set 2005 15:28, Simon Wilkinson escreveu:
> Hi,
>
> This is to announce the availability of a new version of my GSSAPI key
> exchange patch for OpenSSH.

Any news on the integration of this into upstream openssh?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos