On Tue, Dec 20, 2016 at 12:35:14AM +0100, Michael Rasmussen wrote: > KDC which to the best of my knowledge requires the SSH key exchange > feature. Read more here: [...] > No, when using SSH key exchange feature the "host key map" is > maintained automatically by the AD and globally shared between all > members of the AD realm.
Eh, I could be mistaken, but I'm reasonably confident that ssh key exchange and ssh authentication protocols are orthogonal. You could use GSSAPI key exchange and then authenticate with a public key, or use key exchange via host keys in known_hosts and then authenticate via GSSAPI. There's no requirement to have done key exchange via GSSAPI to do authentication using Kerberos via GSSAPI, whether your Kerberos server is MIT, AD, or Heimdal. It is true that if you use GSSAPI key exchange you don't need to maintain known_hosts files or distribute host keys, as that method avails of the principals in the KDC and that trust framework to verify the authenticity of the server. Back to the original question - we use GSSAPI authentication and credential forwarding extensively, but do not use and don't have any plans to use GSSAPI key exchange. _______________________________________________ OmniOS-discuss mailing list [email protected] http://lists.omniti.com/mailman/listinfo/omnios-discuss
