search for: gsskeyex

...des updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on two I-Ds draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt. It adds two different points of authentication - the gsskeyex draft uses GSSAPI at the key exchange level, and removes the requirement to have hostkeys when it is used as the exchange mechanism. The first draft adds GSSAPI at the userauthentication level. Both support credential forwarding....

...run autoreconf from an autoconf later than 2.52 There are a number of improvements and minor bug fixes over previous patches. However, due to protocol changes this patch will not interoperate with my GSSAPI patches to 2.9p2 and earlier. This patch is conditionally compliant with draft-ietf-secsh-gsskeyex-03.txt. It does not currently implement GSSAPI secured host key exchange, or the optional GSSAPI error message passing Thanks to all those who have emailed me asking when this would be available, and to all those who have contributed patches and code reviews. The list on is on the web page! Cheer...

Hi, i notice in draft-ietf-secsh-gsskeyex-06.txt that the value for SSH_MSG_USERAUTH_GSSAPI_ERRTOK is not defined. does anyone know what this should be (i guess *will* be in a future rev)? thanks glen

http://bugzilla.mindrot.org/show_bug.cgi?id=866 Summary: ssh(1) is too picky about unknown options in ~/.ssh/config Product: Portable OpenSSH Version: 3.8p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at

...centrally managing keys and avoiding the problems of maintaining known_hosts files. We do have two concerns that we would like to discuss with you. We will briefly describe our concerns and then discuss them in detail. First, we would like to ask you to commit to implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms you decide to ship for protocol version 2. We believe the mechanisms described in this draft better meet the needs of the Kerberos community, will have wider long-term acceptance and have undergone more comprehensive review in the standards communit...

...5 -> 3.8 -> 3.5, all the apps work properly. When both the client and the server are 3.8p1, and tcl/tk is the latest version, it works but xmag and xwd fail as above. Analysis: Sometime between 2003-09-12 and the present, a draft RFC: http://www.vandyke.com/technology/draft-ietf-secsh-gsskeyex.txt was issued defining gssapi-with-mic, which resists certain "man in the middle" attacks. v3.8p1 does only gssapi-with-mic; versions up to v3.7 do only old-style gssapi. There appears to be no ./configure switch to turn on gssapi-without-mic at compile time in v3.8. The resulting lack...

...can be empty as the server should be able to figure out what username to use from the established credentials. 3.2 [...] "The user name may be an empty string if it can be deduced from the results of the GSSAPI authentication." http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-10.txt Our modified PuTTY client has support for this; it sends a packet like this Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 00000000 00 00 00 00 00 00 00 0e 73 73 68 2d 63 6f 6e 6e ........ssh-conn 00000010 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 70 69 ection....gssapi...

Hi, Just wondering if anyone was looking at implementing draft-ietf-secsh-gsskeyex-00 in OpenSSH? My patches for SSH version 1 Kerberos 5 support (heavily based upon work done by Dan Kouril) are now available from http://www.sxw.org.uk/computing/patches/ Is there any interest in integrating these into the distribution? If so, I'd be happy to update them to the development v...

...to indicate the client's authenticated name, if a named authorized_keys entry matches. These simple features simplify key management and authorized_keys file management in environments where Kerberos or GSI are in use with OpenSSH (see Simon Wilkinson's patch to OpenSSH that implements the gsskeyex draft). These features represent a much more general authorization system for Kerberos than .klogin or .k5login, and apply to other authentication mechanisms as well (again, GSI/X.509, and, in the future, when direct X.509 support is added to OpenSSH, x.509). These features, or a variation thereof...

...of my patches providing GSSAPI support for OpenSSH is available from http://www.sxw.org.uk/computing/patches/openssh.html These patches provide support for authentication mechanisms such as Kerberos and GSI with version 2 of the SSH protocol. They are conditionally compliant with draft-ietf-secsh-gsskeyex-03.txt, with the optional error message passing and host key validation sections not implemented. As yet, I have not look at their interaction with the new privsep code. Feedback and patches are greatly appreciated - as is feedback from those performing interoperability testing. A full list of c...

...r running with privsep enabled. The patches are available from http://www.sxw.org.uk/computing/patches/openssh.html These patches provide support for Kerberos and GSI authentication and credential passing with version 2 of the SSH protocol. They implement the protocol described in draft-ietf-secsh-gsskeyex-03, which is hopefully approaching WG last call! I'd be very grateful if anyone more familiar with the privsep code could review the GSSAPI monitor routines. Thanks to those who put time aside to test this code over the last week! Cheers, Simon.

what about this? can we do about this if we break the protocol? -------------- next part -------------- An embedded message was scrubbed... From: Love <lha at stacken.kth.se> Subject: gss userauth Date: Fri, 22 Aug 2003 16:06:27 +0200 Size: 2878 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030822/f7bb85a0/attachment.mht

Hi All, >From Changelog with 3.8: "The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks.The two versions are not compatible." I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with GSSAPI authentication. I

I took Markus Friedl's advice and set up a KbdintDevice for Kerberos password authentication/expiry. It took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_creds_password() (along with the prompter) to work

(I hope this message is appropriate for these lists. If not, please tell me and I won't do it again.) Hi All. There will be a new release of OpenSSH in a couple of weeks. This release contains Kerberos and GSSAPI related changes that we would like to get some feedback about (and hopefully address any issues with) before the release. I encourage anyone with an interest in

...entory/*.mydomain at MYREALM ... Double quotes can be used when key names contain whitespace and '\' can be used inside double-quotes to quote quote (use '\\' for '\')... This feature applies to SSHv1 krb4 and krb5 auth. It also applies to SSHv2, with Simon Wilkinson's gsskeyex patch, to GSS-API authentication, either with the Kerberos V GSS mechanism or the GSI GSS mechanism. Features added: - ssh-named key entry type for authorized_keys files - ssh-name-pat key entry type for authorized_keys files - deny-access option for authorized_keys files - SSH_AUTH_NAME...

...ORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SSH_GSS_H +#define _SSH_GSS_H + +#ifdef GSSAPI + +#include "buffer.h" + +#include <gssapi.h> + +/* draft-ietf-secsh-gsskeyex-06 */ +#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 +#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 +#define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63 +#define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64 +#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65 + +#define SSH_GSS_OIDTYPE 0x06 + +typedef struct { + c...