> On 31 Aug 2018, at 17:51, Ond?ej Vel??ek <ondrejvelisek at gmail.com>
wrote:
>
> I'm suffering with integration of new GSSAPI mechanism to OpenSSH. Its
> a diploma thesis which part is to proof working of new authentication
> mechanism with ssh.
> What I do not understand is how SSH is choosing the final mechanism to
> use. It has just yes/no option in config. Does OpenSSH have a general
> support of GSSAPI?
> Or lets reduce it to more common question. What is a recomended way to
> use different implementation of Kerberos? (Heimdal, Shishi).
These are actually different questions. GSSAPI authentication mechanisms are
identified by OID, so different mechanisms have different OIDs - Kerberos has
one, GSI another and so on. Different implementations of Kerberos, on the other
hand, all use the same OID.
To change Kerberos implementation you simply have to link against a different
GSSAPI library. To add a new mechanism, you either need to link against it
directly, or add it to something like MIT?s mechglue.
On the client side OpenSSH interrogates the GSSAPI library for all of the
supported mechanisms and negotiates with the server which one to use. Clients
can support any GSSAPI mechanism without modification.
On the server side there is a list of supported mechanisms. This is because we
need a way of determining how to translate a GSS identity to a Unix username
which is mechanism specific. That list is in gss-serv.c. To get server support,
you would need to add your new mechanism to that list.
Cheers,
Simon