That does sound interesting. Count me in. On Sep 28, 2007, at 2:26 PM, Douglas E. Engert wrote:
> Sounds interesting. And yes, I would be interested in > the cascading credentials delegation code. Does the > delegation code depend on the key exchange code? > > What would it take to get both of these in to PuTTY? > > > Simon Wilkinson wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> Hi, >> I'm pleased to (finally) announce the availability of my GSSAPI >> Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains >> support for doing GSSAPI user authentication, this only allows >> the underlying security mechanism to authenticate the user to the >> server, and continues to use SSH host keys to authenticate the >> server to the user. For many sites who already have security >> infrastructures such as Kerberos deployed, managing large numbers >> of SSH host keys is an additional, unneccessary, burden. GSSAPI >> key exchange allows the use of security mechanisms such as >> Kerberos to authenticate the server to the user, removing the >> need for trusted ssh host keys, and allowing the use of a single >> security architecture. >> This patch adds support for the RFC4462 GSSAPI key exchange >> mechanisms to OpenSSH, along with adding some additional features >> to the GSSAPI code that is already in the tree. >> The patch implements: >> *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* >> key exchange mechanisms. (#1242) >> *) Support for the null host key type (#1242) >> *) Support for CCAPI credentials caches on Mac OS X (#1245) >> *) Support for better error handling when an authentication >> exchange fails due to server misconfiguration (#1244) >> *) Support for GSSAPI connections to hosts behind a round- >> robin load balancer (#1008) >> *) Support for GSSAPI connections to multi-homed hosts, where >> each interface has a unique name (#928) >> (bugzilla.mindrot.org bug numbers are in brackets) >> There are no code changes since the previous release. >> As usual, the code is available from >> http://www.sxw.org.uk/computing/patches/openssh.html >> I'm also interesting in hearing from people who might be >> interested in testing some new cascading credentials delegation >> code. When you renew your Kerberos credentials on the client, >> this code will automatically propagate these renewed credentials >> to the server, allowing the seamless renewal of credentials >> across ssh sessions distributed across many different machines. >> If you have an interest in testing this code in a non-production >> environment, please let me know! >> Cheers, >> Simon. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos