[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1

To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 1 Oct 2007 01:08:55 -0700
Cc: Simon Wilkinson <sxw@inf.ed.ac.uk>, openssh-unix-dev@mindrot.org, kerberos@mit.edu
In-Reply-To: <46FD7176.3020108@anl.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <0DC5C238-7F48-41F5-A0DB-DEF62E0698D8@inf.ed.ac.uk> <46FD7176.3020108@anl.gov>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

That does sound interesting.  Count me in.

On Sep 28, 2007, at 2:26 PM, Douglas E. Engert wrote:

> Sounds interesting. And yes,  I would be interested in
> the cascading credentials delegation code. Does the
> delegation code depend on the key exchange code?
>
> What would it take to get both of these in to PuTTY?
>
>
> Simon Wilkinson wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hi,
>> I'm pleased to (finally) announce the availability of my GSSAPI  
>> Key  Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains  
>> support for  doing GSSAPI user authentication, this only allows  
>> the underlying  security mechanism to authenticate the user to the  
>> server, and  continues to use SSH host keys to authenticate the  
>> server to the  user. For many sites who already have security  
>> infrastructures such  as Kerberos deployed, managing large numbers  
>> of SSH host keys is an  additional, unneccessary, burden. GSSAPI  
>> key exchange allows the use  of security mechanisms such as  
>> Kerberos to authenticate the server to  the user, removing the  
>> need for trusted ssh host keys, and allowing  the use of a single  
>> security architecture.
>> This patch adds support for the RFC4462 GSSAPI key exchange   
>> mechanisms to OpenSSH, along with adding some additional features  
>> to  the GSSAPI code that is already in the tree.
>> The patch implements:
>>    *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-*  
>> key  exchange mechanisms. (#1242)
>>    *) Support for the null host key type (#1242)
>>    *) Support for CCAPI credentials caches on Mac OS X (#1245)
>>    *) Support for better error handling when an authentication   
>> exchange fails due to server misconfiguration (#1244)
>>    *) Support for GSSAPI connections to hosts behind a round- 
>> robin  load balancer (#1008)
>>    *) Support for GSSAPI connections to multi-homed hosts, where  
>> each  interface has a unique name (#928)
>> (bugzilla.mindrot.org bug numbers are in brackets)
>> There are no code changes since the previous release.
>> As usual, the code is available from
>> http://www.sxw.org.uk/computing/patches/openssh.html
>> I'm also interesting in hearing from people who might be  
>> interested  in testing some new cascading credentials delegation  
>> code. When you  renew your Kerberos credentials on the client,  
>> this code will  automatically propagate these renewed credentials  
>> to the server,  allowing the seamless renewal of credentials  
>> across ssh sessions  distributed across many different machines.  
>> If you have an interest  in testing this code in a non-production  
>> environment, please let me  know!
>> Cheers,
>> Simon.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Next by Date: pkinit and OpenPGP Smartcard
Next by thread: pkinit and OpenPGP Smartcard
Index(es):
- Date
- Thread