Hi, This is to announce the availability of a new version of my GSSAPI key exchange patch for OpenSSH. The code is available from http://www.sxw.org.uk/computing/patches/openssh.html Changes since the last release are: *) Implement GSS group exchange *) Disable DNS canonicalization of the hostname passed to the GSSAPI library - an option is provided to allow this to be overriden on a host by host basis. *) Fix the crash when connecting to a server which supports sending a hostkey as part of the GSSAPI key exchange. *) Make GSS rekeying work when privsep is enabled *) Fix incorrect naming of keyex userauth mechanism *) Fix client crash when doing key exchange with expired credentials *) Assorted buffer initialization fixes Why Key Exchange? Whilst OpenSSH contains support for doing GSSAPI user authentication, this only allows the underlying security mechanism to authenticate the user to the server, and continues to use SSH host keys to authenticate the server to the user. For many sites who already have security infrastructures such as Kerberos deployed, managing large numbers of SSH host keys is an additional, unneccessary, burden. GSSAPI key exchange allows the use of security mechanisms such as Kerberos to authenticate the server to the user, removing the need for trusted ssh host keys, and allowing the use of a single security architecture. Cheers, Simon.