[ If you're not familiar with the GSSAPI key exchange patches, or unsure why
they make OpenSSH usable in large Kerberos deployments,
http://www.sxw.org.uk/computing/patches/openssh.html contains some background
information ]
Regular readers of these emails will be aware that they've recently all
begun with apologies for the delay in producing the patch - this has been down
to a poor tool chain, and $work using systems which no longer have a need for
these patches to work with the latest and greatest OpenSSH binary.
So, the major announcement here is that I've made significant changes to the
way in which these patches are produced. This should hopefully both make it
easier (and quicker) for me to produce them in future, and make it simpler for
others who want to produce patches based upon them.
Firstly, I've created a git-cvsimport mirror of the OpenSSH portable
repository at https://github.com/SimonWilkinson/openssh/
This is a regularly updated git repository which purely tracks the code
available from anoncvs.mindrot.org.
Secondly, the GSSAPI OpenSSH key exchange patches are now based on a clone of
this git tree. This makes it much easier to track the patches, and to merge them
into forthcoming releases. The tree with the patches in is available from
https://github.com/SimonWilkinson/gss-openssh/
A patch for each release will continue to be available from my website at
http://www.sxw.org.uk/computing/patches/openssh.html
As well as updating the patch to OpenSSH 5.6p1, the new release also adds
support for a GSSAPIServerIdentity client configuration directive. This allows
the user to give the GSSAPI acceptor identity (Kerberos principal) which the
server will use to accept their request. It is useful in situations such as port
forwarding, where the name that must be used to reach a particular host
doesn't match the name that that machine knows itself by. Thanks to Jim
Basney for this code!
Cheers,
Simon.
