Bug 1242 - GSSAPI Keyexchange support
Summary: GSSAPI Keyexchange support
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: -current
Hardware: All All
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: 1369
  Show dependency treegraph
 
Reported: 2006-10-03 04:13 AEST by Simon Wilkinson
Modified: 2010-04-16 15:50 AEST (History)
6 users (show)

See Also:

Attachments
Patch to add GSSAPI Key Exchange support (49.78 KB, patch)
2006-10-03 04:14 AEST, Simon Wilkinson 		no flags Details | Diff
Patch to add GSSAPI Key Exchange support (54.02 KB, patch)
2009-07-27 00:03 AEST, Simon Wilkinson 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Wilkinson 2006-10-03 04:13:00 AEST 
This is a minimal patch implementing GSSAPI key exchange. It 
implements the group1, group14 and group exchange 
mechanisms as detailed in RFC4426.

As I've noted in the past, key exchange is useful for large sites 
who don't want the additional overhead of maintaining ssh 
known hosts files when they already have a deployed key 
management architecture

Please consider this patch for future inclusion in OpenSSH - as
I'm sure you're aware, it's been in widespread use for a number
of years now, and many other vendors have developed their 
GSSAPI key exchange implementations against it.

As always, I'm happy to provide whatever help may be required to
get this into the tree.
Comment 1 Simon Wilkinson 2006-10-03 04:14:48 AEST 
Created attachment 1195 [details]
Patch to add GSSAPI Key Exchange support
Comment 2 Henry B. Hotz 2006-11-10 06:20:10 AEDT 
At our institution machines are SA'd by many, many organizations and there is simply no way to coordinate a useful known_hosts file.  OTOH we have a nicely centralized Kerberos infrastructure so widespread use of these patches solves the problem nicely.

Since these patches are already included in most OS's, it would be nice for the community to converge OpenSSH and RedHat with the rest of the community.  It would reduce our overhead in supporting the few odd exceptions.
Comment 3 Tomas Mraz 2008-03-17 20:47:26 AEDT 
Any chance getting this into 4.9?
Comment 4 sconeu 2008-04-18 02:12:39 AEST 
I would also like to see this patch mainstreamed.
Comment 5 Tomas Mraz 2008-10-01 21:20:49 AEST 
Is there any chance to get some definitive yes/no on this feature from OpenSSH developers? (preferably with some reasoning)
Comment 6 Simon Wilkinson 2009-07-27 00:03:05 AEST 
Created attachment 1664 [details]
Patch to add GSSAPI Key Exchange support

This updates this patch to OpenSSH 5.2p1, and includes some minor fixes suggested by Greg Hudson during a code review he did for the MIT Kerberos Consortium.
Comment 7 Damien Miller 2010-02-10 09:49:24 AEDT 
None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources.
Comment 8 Damien Miller 2010-04-16 15:50:00 AEST 
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1