[36593] in Kerberos
Re: gssapi-with-mic vs gssapi-keyex SSH authentication difference?
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Oct 31 13:52:31 2014
Date: Fri, 31 Oct 2014 13:52:09 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rufe Glick <rufe.glick@gmail.com>
In-Reply-To: <464331345.20141031133835@gmail.com>
Message-ID: <alpine.GSO.1.10.1410311346220.27826@multics.mit.edu>
MIME-Version: 1.0
Cc: Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 31 Oct 2014, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in
> ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication
> yes). When I connect to the SSH server using verbose mode I see that SSH
> client uses 'gssapi-with-mic' mode to authenticate itself. Then if I
> additionally enable 'GSSAPIKeyExchange yes' setting the SSH client
> prefers the 'gssapi-keyex' method to authenticate itself.
>
> The questions are what does happen under the hood of both of these
> methods (in simple terms, please)? And what is the essential difference?
> Also what kind of keys do they exchange when 'gssapi-keyex' auth method
> is in use?
gssapi-keyex is not a way for the client to authenticate to the server; it
replaces the normal key exchange step that uses the server's
ssh_host_{ecdsa,rsa,dsa}_keys. GSSAPIKeyExchange is a way to avoid the
"leap of faith" initial prompt when sshing to a remote host for the first
time. (That is, "The authenticity of host 'blah' can't be established.
RSA key fingerprint is [hex]. Are you sure you want to continue
connecting (yes/no)?".)
GSSAPIAuthentication is a way for the client to authenticate to the
server; it replaces user ssh keys (e.g., ~/.ssh/id_rsa) and passwords.
-Ben Kaduk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
