Bug 4707 - support GSSAPI key exchange in SSH
Summary: support GSSAPI key exchange in SSH
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-14 15:10 CEST by Pierre Ossman
Modified: 2022-12-13 13:16 CET (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2013-06-14 15:10:05 CEST 
There is a patch here that uses GSSAPI to verify the authenticity of the server:

http://www.sxw.org.uk/computing/patches/openssh.html

In practice that means you don't have to bother with SSH host keys if you are running a fully Kerberised environment. The ssh server will prove it is trustworthy based on Kerberos tickets instead.


The server also has to support this of course, but at least Red Hat carries this in their distributions.
Comment 1 Pierre Ossman cendio 2013-06-14 15:27:38 CEST 
We should look at the patches Red Hat carries as they seem to have done a few bug fixes.
Comment 2 Pierre Ossman cendio 2013-06-14 15:29:06 CEST 
The referenced patch also helps out with Kerberos in two ways:

 - It adds an option to do reverse lookup on the servers ip address to figure out the principal.

 - If the new GSSAPI key exchange is used, it includes the principal. So there is no guessing involved at all.
Note You need to log in before you can comment on or make changes to this bug.