Somewhat belatedly, I'm pleased to announce the availability of my
GSSAPI key exchange patches for OpenSSH 5.2p1. Apologies for the delay
in getting these out, a honeymoon, followed by the pressure of work,
made the first half of this year rather busy!
Whilst OpenSSH contains support for GSSAPI user authentication, this
still relies upon SSH host keys to authenticate the server to the
user. For sites with a deployed Kerberos infrastructure this adds an
additional, unnecessary, key management burden. GSSAPI key exchange
allows the use of security mechanisms such as Kerberos to authenticate
the server to the user, removing the need for trusted ssh host keys,
and allowing the use of a single security architecture.
This patch adds support for the RFC4462 GSSAPI key exchange mechanisms
to OpenSSH, along with adding some additional, generic, GSSAPI
features. It implements
*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key
exchange mechanisms. (#1242)
*) Support for the null host key type (#1242)
*) Support for CCAPI credentials caches on Mac OS X (#1245)
*) Support for better error handling when an authentication exchange
fails due to server misconfiguration (#1244)
*) Support for GSSAPI connections to hosts behind a round-robin load
balancer (#1008)
*) Support for GSSAPI connections to multi-homed hosts, where each
interface has a unique name (#928)
*) Support for cascading credentials renewal
(bugzilla.mindrot.org bug numbers are in brackets)
Since the last release
----------------------
Greg Hudson, of the Kerberos Consortium, kindly performed a code
review of this patch at the beginning of the year. This release
addresses a number of minor issues he identified. In addition a new
option "GSSAPIClientIdentity" is implemented. This allows the user to
set which GSSAPI identity should be used to contact a particular host
- it will only work on systems whose Kerberos libraries support the
concept of multiple identities (such as Mac OS X). Cascading
credentials renewal is now supported as part of the main patch.
As usual, the code is available from
http://www.sxw.org.uk/computing/patches/openssh.html
Two patches are available, one containing cascading credentials
support, and one without. In addition, the quilt patch series that
makes up this release is also provided, for those who wish to pick and
choose!
Sorry once again for the delay, and thanks to all those who have been
patiently waiting (and nagging) for me to get this out.
Cheers,
Simon.
