[36595] in Kerberos
Re: gssapi-with-mic vs gssapi-keyex SSH authentication difference?
daemon@ATHENA.MIT.EDU (Tomas Kuthan)
Fri Oct 31 14:04:07 2014
Message-ID: <5453CF48.8010805@oracle.com>
Date: Fri, 31 Oct 2014 19:04:56 +0100
From: Tomas Kuthan <tomas.kuthan@oracle.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <464331345.20141031133835@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/31/14 18:38, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication yes). When I connect to the SSH server using verbose mode I see that SSH client uses 'gssapi-with-mic' mode to authenticate itself. Then if I additionally enable 'GSSAPIKeyExchange yes' setting the SSH client prefers the 'gssapi-keyex' method to authenticate itself.
>
> The questions are what does happen under the hood of both of these methods (in simple terms, please)? And what is the essential difference? Also what kind of keys do they exchange when 'gssapi-keyex' auth method is in use?
>
> --
> Best regards,
> Rufe
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Hi Rufe,
first step of establishing ssh connection is establishing Transport
Layer. In this step the server is authenticated and keys are exchanged,
that are used to provide integrity and confidentiality. User
authentication is then performed over this secure channel.
There are several Key Exchange Methods, one of which is
GSS-API-Authenticated Diffie-Hellman Key Exchange.
'gssapi-keyex' and 'gssapi-with-mics' are two examples of user
authentication methods. The fundamental difference is, that
'gssapi-keyex' authentication can only be used when the key exchange
earlier was GSS-API-Authenticated Diffie-Hellman Key Exchange and it
reuses the context from the key exchange.
For more information please refer to RFC 4462
Tomas
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
