Kerberos Support In OpenSSH

Dan writes "Marshall Vale writes on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Marshall says that Kerberos support within OpenSSH may be incomplete and needs more work. In particular, implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms will better serve the needs of Kerberos community. Secondly, he says that they would like to reduce user confusion associated with all of the different options for Kerberos and SSH. He suggests adoption of the GSSAPI key exchange mechanism in the IETF draft (which uses Kerberos to authenticate both parties to each other), in order to avoid man-in-the-middle attacks."

kerberos+ssh+putty

[ave19]

i have a mod for putty that can do gssapi+kerberos auth for users. windows client to the linux/unix openssh servers.

we're beta testing (or will start soon) but it works!

respond if you're interested...

Re:RSA?

[hbo]

The main advantage of using Kerberos for key exchange is the elimination of the known_hosts file, and the tendency for ssh users to accept any
old key offered by the server the first time they connect. This common behavior exposes the user to the risk of man-in-the-middle attacks. If I've tricked your stack into connecting to me instead of the host you thought you were getting, I can spoof both ends of the connection and intercept your traffic in the clear. Also, Kerberos authentication is two-way (server to client AND client to server)

There is already a patch

[voicebox]

I am unable to get to the article (slashdotted) but there is an already existing GSSAPI patch for OpenSSH here: patch.