On 10/31/14 18:38, Rufe Glick wrote: > Hello, > > I have Kerberos infrastructure set up and GSSAPI enabled in > ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication yes). > When I connect to the SSH server using verbose mode I see that SSH client > uses 'gssapi-with-mic' mode to authenticate itself. Then if I additionally > enable 'GSSAPIKeyExchange yes' setting the SSH client prefers the > 'gssapi-keyex' method to authenticate itself. > > The questions are what does happen under the hood of both of these methods > (in simple terms, please)? And what is the essential difference? Also what > kind of keys do they exchange when 'gssapi-keyex' auth method is in use? > > -- > Best regards, > Rufe > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >
Hi Rufe, first step of establishing ssh connection is establishing Transport Layer. In this step the server is authenticated and keys are exchanged, that are used to provide integrity and confidentiality. User authentication is then performed over this secure channel. There are several Key Exchange Methods, one of which is GSS-API-Authenticated Diffie-Hellman Key Exchange. 'gssapi-keyex' and 'gssapi-with-mics' are two examples of user authentication methods. The fundamental difference is, that 'gssapi-keyex' authentication can only be used when the key exchange earlier was GSS-API-Authenticated Diffie-Hellman Key Exchange and it reuses the context from the key exchange. For more information please refer to RFC 4462 Tomas ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
