GSS key exchange alone does not authenticate the client to the server because a binding of the GSS security context to the Diffie-Hellman or RSA key exchange is not sent by the client, only by the server. There is not much point to authenticating the client at this point anyways because GSS authentication is not enough: we need a *username* to authorize the authenticated _principal_ to, and that comes later in the protocol.
SSHv2 could well have been (and perhaps still could be) optimized quite a bit. As it is all of this takes quite a few messages: TCP handshake, version string scream exchange, KEX (one round-trip in the optimal case, with GSS and Kebreros), userauth (one more round-trip in the optimal case, with gss-api-keyex). If confidentiality protection of the client principal and username were not important this could be reduced by one round trip in an optimized form of the protocol. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos