An updated version of my patch for Kerberos v5 support is now available from http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch This patch includes updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on two I-Ds draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt. It adds two different points of authentication - the gsskeyex draft uses GSSAPI at the key exchange level, and removes the requirement to have hostkeys when it is used as the exchange mechanism. The first draft adds GSSAPI at the userauthentication level. Both support credential forwarding. I've implemented support for the Kerberos v5 GSSAPI mechanism - it should be trivial to add additional mechanisms. The GSSAPI code has not been tested under Heimdal (the Kerberos v5 code has, and should work). Sorry for this being one huge patch - I had originally tried to seperate these out in two (GSSAPI in one, and Kerberos v5 in the other), but there were too many conflicts when combining them together. If people would like to see a patch implementing just one of these things let me know, and I'll have another go. Cheers, Simon.
On Tue, 20 Mar 2001, Simon Wilkinson wrote:> An updated version of my patch for Kerberos v5 support is now available > from > http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch > > This patch includes updated Kerberos v5 support for protocol version 1, > and also adds GSSAPI support for protocol version 2.I don't know enough about the Kerberos API to review this patch myself, so I defer to the list to review the patch.> Unlike the Kerberos v5 code (which will still not interoperate with > ssh.com clients and servers), the GSSAPI support is based on two I-Ds > draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt. > It adds two different points of authentication - the gsskeyex draft > uses GSSAPI at the key exchange level, and removes the requirement to > have hostkeys when it is used as the exchange mechanism. The first > draft adds GSSAPI at the userauthentication level. Both support > credential forwarding.On what documentation did you base the krb5 support? You should write an internet-draft on how you did it. There seems to be two gssapi drafts, the Galbraith one and a Saloway one which has been brought into the wg. How do they differ? -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer