OpenSSH Re: rawhide report: 20040608 changes

Nalin Dahyabhai nalin at redhat.com
Tue Jun 8 21:27:24 UTC 2004


On Tue, Jun 08, 2004 at 02:44:43PM -0600, Stephen Smoogen wrote:
> On Tue, 2004-06-08 at 11:34, Nalin Dahyabhai wrote:
> > The gssapi-with-mic support is authentication only AFAIK.  So no gssapi
> > key exchange, which you may miss if you had gotten used to not having to
> > accept (or even create) ssh host public keys.  The credential forwarding
> > works well.
> 
> ah ok. that is where I was fuzzy on where gssapi key exchange came into
> play. It is where the kerberos server authenticates the client to the
> server and server to client?

I think you're referring to mutual authentication, which is requested by
the client, so you can breathe easy.

To perform gssapi authentication, your servers need host keys in their
keytabs (for the benefit of others, keys for "host/fqdn at REALM" in
/etc/krb5.keytab), but the initial key exchange is still performed using
the host's public/private key pairs, so you'll still need those.

> Getting the credential forwarding is actually the big issue for most of
> the scientists.

You'll need to turn on GSSAPIDelegateCredentials for a given host,
otherwise it seems to work quite well.

Nalin





More information about the fedora-devel-list mailing list