[36597] in Kerberos

home help back first fref pref prev next nref lref last post

Re: gssapi-with-mic vs gssapi-keyex SSH authentication difference?

daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Oct 31 15:23:39 2014

MIME-Version: 1.0
In-Reply-To: <CAK3OfOh5wdfTaYdacAr7x8hr7HXu2+wNEp6dAxeU-j3_t42GNg@mail.gmail.com>
Date: Fri, 31 Oct 2014 14:23:18 -0500
Message-ID: <CAK3OfOjYGq01QQ2dHHsHXQH2wOue+qCp2=omzbGGHUpR4n78Ng@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

GSS key exchange alone does not authenticate the client to the server
because a binding of the GSS security context to the Diffie-Hellman or
RSA key exchange is not sent by the client, only by the server.  There
is not much point to authenticating the client at this point anyways
because GSS authentication is not enough: we need a *username* to
authorize the authenticated _principal_ to, and that comes later in
the protocol.

SSHv2 could well have been (and perhaps still could be) optimized
quite a bit.  As it is all of this takes quite a few messages: TCP
handshake, version string scream exchange, KEX (one round-trip in the
optimal case, with GSS and Kebreros), userauth (one more round-trip in
the optimal case, with gss-api-keyex).  If confidentiality protection
of the client principal and username were not important this could be
reduced by one round trip in an optimized form of the protocol.

Nico
--
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post