[36594] in Kerberos
Re: gssapi-with-mic vs gssapi-keyex SSH authentication difference?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Oct 31 13:57:19 2014
Message-ID: <5453CD69.3000909@mit.edu>
Date: Fri, 31 Oct 2014 13:56:57 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, Rufe Glick <rufe.glick@gmail.com>
In-Reply-To: <alpine.GSO.1.10.1410311346220.27826@multics.mit.edu>
Cc: Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/31/2014 01:52 PM, Benjamin Kaduk wrote:
> gssapi-keyex is not a way for the client to authenticate to the server; it
> replaces the normal key exchange step that uses the server's
> ssh_host_{ecdsa,rsa,dsa}_keys.
If memory serves, the gssapi-keyex key exchange actually authenticates
both parties to each other. Once you have completed that, you gain
access to the gssapi-keyex userauth method, which does basically nothing
as the user is already authenticated (much like SASL EXTERNAL). The
client could still use a different userauth method to authenticate as
someone else, but it generally prefers gssapi-keyex.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
