The IETF is working on standardizing the use of GSSAPI for authentication with the SSHv2 protocol. This will allow the use of MIT Kerberos and/or Globus GSI GSSAPI to authenticate.
As a user of all of this, I am sending this note. The latest version of the VanDyke SecureCRT 4.0 for Windows, now supports the GSSAPI secsh extensions with SSHv2. The equivalent SSHD server mods are implemented by Simon Wilkinson's GSSAPI patches to OpenSSH-3.4p1 SecureCRT can use a gssapi32.dll for GSSAPI support. I have tested it with the MIT gssapi32.dll from krb5-1.2.6 as well as the Globus GSI gsspai32.dll from GSI-1.1.3. SecureCRT can also use the Microsoft SSPI. VanDyke has not fully announced this feature, for reasons as listed below, but I wanted to make others aware of this, as SecureCRT is a fine terminal emulator, and the addition of the GSSAPI for authentication fits well into many environments. (To be fair, I should point out Kermit, and SecureNet are implementing similar features. And there may be other products I am not aware of.) Previous version of SecureCRT supported a gssapi with sshv1 and it still works. They also required a gsigss32.dll. This is no longer required. They can now use the MIT gssapi32.dll directly. But the GSSAPI features in SecureCRT 4.0 are currently not enabled be default, and require some editing by hand. To enable the GSSAPI feature, edit the SSH2.ini file which is in a location like: C:\Documents and Settings\<user>\Application Data\VanDyke\SecureCRT\Config\SSH2.ini file and add this line: D:"Enable GSSAPI Authentication"=00000001 After this is added, The Connect Connection->authentication option of GSSAPI will be one of the options for primary or secondary authentication with SSHv2. By default the gssapi32.dll is used for the GSSAPI support, but you can use the built in Microsoft SSPI on Windows 2000 by editing selected session files: C:\Documents and Settings\<user>\Application Data\VanDyke\SecureCRT\Config\Sessions\ Change : S:"GSSAPI Method"=gssapi to S:"GSSAPI Method"=gss-ms-kerberos (This has the potential of an all vendor environment with no additional software.) The SecureFX SFTP product can also use the GSSAPI. Contact [EMAIL PROTECTED] for this. Since this is using the GSSAPI, it also works with Globus GSI as well! Personally I would like to thank all the people at VanDyke for following through on this integration of the IETF draft standards into their fine product which I use every day! I would like to encourage them to continue, and add the GSSAPI as a fully integrated and documented feature. [EMAIL PROTECTED] wrote: > > None of this is really "private". Anyone you know that is > interested in GSSAPI/Kerberos support can contact us; we > don't have any specific problems with you giving the information > out either, however, you may want to direct people through > [EMAIL PROTECTED], since that way you won't get nailed with > their questions ;-) > > The biggest resaons this isn't exposes yet in any of our products > is that we don't feel like most folks see it as a "prime-time" > feature yet. For those who need it, the functionality can be > enabled, but for most users at this point is is simply "noise". > As I type this, development is having a meeting on where to go > with this exposure, and after a few small changes on our side, > I suspect you'll see this fully exposed in the UI. > > We'll keep you informed. > > Thank You, > > ~Jaime C. Jordan > [EMAIL PROTECTED] -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
