GSS key exchange alone does not authenticate the client to the server
because a binding of the GSS security context to the Diffie-Hellman or
RSA key exchange is not sent by the client, only by the server. There
is not much point to authenticating the client at this point anyways
because GSS authen
GSS keyex authenticates the server to the client. The client can then
be authenticated to the server with it tries gssapi-keyex userauth.
Nico
--
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On 10/31/14 18:38, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in
> ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication yes).
> When I connect to the SSH server using verbose mode I see that SSH client
> uses 'gssapi-with-mic' mode to
On 10/31/2014 01:52 PM, Benjamin Kaduk wrote:
> gssapi-keyex is not a way for the client to authenticate to the server; it
> replaces the normal key exchange step that uses the server's
> ssh_host_{ecdsa,rsa,dsa}_keys.
If memory serves, the gssapi-keyex key exchange actually authenticates
both par
On Fri, 31 Oct 2014, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in
> ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication
> yes). When I connect to the SSH server using verbose mode I see that SSH
> client uses 'gssapi-with-mic' mode to
Hello,
I have Kerberos infrastructure set up and GSSAPI enabled in
ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication yes).
When I connect to the SSH server using verbose mode I see that SSH client uses
'gssapi-with-mic' mode to authenticate itself. Then if I additionally ena