Bug 1242

Summary:

GSSAPI Keyexchange support

Product:

Portable OpenSSH

Reporter:

Simon Wilkinson <simon>

Component:

Kerberos support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED WONTFIX

Severity:

enhancement

CC:

abo, djm, haba, hotz, sconeu, t8m

Priority:

Version:

-current

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

1369

Attachments:

Description	Flags
Patch to add GSSAPI Key Exchange support	none
Patch to add GSSAPI Key Exchange support	none

Description Simon Wilkinson 2006-10-03 04:13:00 AEST

This is a minimal patch implementing GSSAPI key exchange. It 
implements the group1, group14 and group exchange 
mechanisms as detailed in RFC4426.

As I've noted in the past, key exchange is useful for large sites 
who don't want the additional overhead of maintaining ssh 
known hosts files when they already have a deployed key 
management architecture

Please consider this patch for future inclusion in OpenSSH - as
I'm sure you're aware, it's been in widespread use for a number
of years now, and many other vendors have developed their 
GSSAPI key exchange implementations against it.

As always, I'm happy to provide whatever help may be required to
get this into the tree.

Comment 1 Simon Wilkinson 2006-10-03 04:14:48 AEST

Created attachment 1195 [details]
Patch to add GSSAPI Key Exchange support

Comment 2 Henry B. Hotz 2006-11-10 06:20:10 AEDT

At our institution machines are SA'd by many, many organizations and there is simply no way to coordinate a useful known_hosts file.  OTOH we have a nicely centralized Kerberos infrastructure so widespread use of these patches solves the problem nicely.

Since these patches are already included in most OS's, it would be nice for the community to converge OpenSSH and RedHat with the rest of the community.  It would reduce our overhead in supporting the few odd exceptions.

Comment 3 Tomas Mraz 2008-03-17 20:47:26 AEDT

Any chance getting this into 4.9?

Comment 4 sconeu 2008-04-18 02:12:39 AEST

I would also like to see this patch mainstreamed.

Comment 5 Tomas Mraz 2008-10-01 21:20:49 AEST

Is there any chance to get some definitive yes/no on this feature from OpenSSH developers? (preferably with some reasoning)

Comment 6 Simon Wilkinson 2009-07-27 00:03:05 AEST

Created attachment 1664 [details]
Patch to add GSSAPI Key Exchange support

This updates this patch to OpenSSH 5.2p1, and includes some minor fixes suggested by Greg Hudson during a code review he did for the MIT Kerberos Consortium.

Comment 7 Damien Miller 2010-02-10 09:49:24 AEDT

None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources.

Comment 8 Damien Miller 2010-04-16 15:50:00 AEST

Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1