[OmniOS-discuss] Disabling GSSAPI Key Exchange from future OpenSSH?

Paul B. Henson henson at acm.org
Tue Dec 20 01:49:54 UTC 2016


On Tue, Dec 20, 2016 at 12:35:14AM +0100, Michael Rasmussen wrote:

> KDC which to the best of my knowledge requires the SSH key exchange
> feature. Read more here:
[...]
> No, when using SSH key exchange feature the "host key map" is
> maintained automatically by the AD and globally shared between all
> members of the AD realm.

Eh, I could be mistaken, but I'm reasonably confident that ssh key
exchange and ssh authentication protocols are orthogonal.

You could use GSSAPI key exchange and then authenticate with a public
key, or use key exchange via host keys in known_hosts and then
authenticate via GSSAPI. There's no requirement to have done key
exchange via GSSAPI to do authentication using Kerberos via GSSAPI,
whether your Kerberos server is MIT, AD, or Heimdal.

It is true that if you use GSSAPI key exchange you don't need to
maintain known_hosts files or distribute host keys, as that method
avails of the principals in the KDC and that trust framework to verify
the authenticity of the server.

Back to the original question - we use GSSAPI authentication and
credential forwarding extensively, but do not use and don't have any
plans to use GSSAPI key exchange.



More information about the OmniOS-discuss mailing list