authentication
Click on the red underlined text to get to the source
... methods used to perform key exchange and
user authentication in the Secure Shell protocol using the GSS-API.
...
... GSS-API.
To do this, it defines a family of key exchange methods, two user
authentication methods, and a new host key algorithm. These
...
... SSH-ARCH], transport layer
protocol [SSH-TRANSPORT], and user authentication protocol
[SSH-USERAUTH]. This document freely uses terminology and notation
...
... GSS-API-Authenticated Diffie-Hellman Key Exchange ...
... Diffie-Hellman key exchange from Section 8 of [SSH-TRANSPORT] with
mutual authentication using GSS-API.
...
... received from S during this exchange, if any. For this call, the
client MUST set mutual_req_flag to "true" to request that mutual
authentication be performed. It also MUST set integ_req_flag to
"true" to request that per-message integrity protection ...
... delegation, if requested by the
user. Since the key exchange process authenticates only the
host, the setting of anon_req_flag is immaterial to this process.
...
... host, the setting of anon_req_flag is immaterial to this process.
If the client does not support the "gssapi-keyex" user
authentication method described in Section 4, or does not intend
to use that method ...
... GSS_S_COMPLETE and the
mutual_state flag is not true, then mutual authentication has
not been established, and the key exchange MUST fail.
...
... GSS_S_COMPLETE and the
mutual_state flag is not true, then mutual authentication has
not been established, and the key exchange MUST fail.
...
... host keys sent
via the SSH_MSG_KEXGSS_HOSTKEY message are authenticated as part of
the GSS-API key exchange, even when previously unknown to the client ...
... This value is called the exchange hash, and it is used to
authenticate the key exchange. The exchange hash SHOULD be kept
...
... This section describes a modification to the generic GSS-API-
authenticated Diffie-Hellman key exchange to allow the negotiation of
...
...
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 with SHA-1 as HASH ...
... Each of these methods specifies GSS-API authenticated Diffie-Hellman
key exchange as described in Section 2.1 with SHA-1 as HASH ...
...
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.2 with SHA-1 as HASH ...
... key
exchange methods that conform to this document; in particular, for
those methods that use the GSS-API-authenticated Diffie-Hellman key
exchange algorithm ...
... GSS-API User Authentication ...
... based on [GSSAPI]. It is intended to be run over the SSH user
authentication protocol [SSH-USERAUTH].
...
... SSH-USERAUTH].
The authentication method name for this protocol is "gssapi-with-
mic".
...
... GSS-API Authentication Overview ...
... GSS-API authentication must maintain a context. Authentication
begins when the client sends an SSH ...
... GSSAPI_TOKEN packets
until the authentication mechanism either succeeds or fails.
If at any time during the exchange the client ...
... context is completely
discarded and destroyed, and any further GSS-API authentication MUST
restart from the beginning.
...
... restart from the beginning.
If the authentication succeeds and a non-empty user name is presented
by the client ...
... exchange. If the user name is not authorized, then the
authentication MUST fail.
...
... Initiating GSS-API Authentication ...
... that are of the same priority, compared to non-GSS-API authentication
methods. Otherwise, authentication methods may be executed out of
order. Thus, the client ...
... priority, compared to non-GSS-API authentication
methods. Otherwise, authentication methods may be executed out of
order. Thus, the client could first send an SSH ...
... SSH_MSG_USERAUTH_REQUEST
for one GSS-API mechanism, then try public key authentication, and
then try another GSS-API mechanism.
...
... user name may be an empty string if it can be deduced from the
results of the GSS-API authentication. If the user name is not
empty, and the requested user does not exist, the server MAY
...
... never accept any. This makes it possible for the server to avoid
disclosing information about which accounts exist. In any case, if
the user does not exist, the authentication request MUST NOT be
accepted.
...
... SSH_MSG_USERAUTH_REQUEST message, in which case the server MUST
abandon the previous authentication attempt and continue with the new
one.
...
... by the user.
Since the user authentication process by its nature authenticates
only the client ...
...
Since the user authentication process by its nature authenticates
only the client, the setting of mutual_req_flag is not needed for
...
... this process. This flag SHOULD be set to "false".
Since the user authentication process will involve the exchange of
only a single token once the context ...
... attacker who has convinced a client
of his authenticity cannot then relay user authentication messages
between the real client and server, thus gaining access to the real
...
... GSS_S_COMPLETE with the integ_avail flag set, the client MUST
conclude the user authentication exchange by sending the following
message:
...
... GSS-API context
is fully established, the server MUST fail the authentication.
If this message is received by the server ...
...
Some servers may wish to permit user authentication to proceed even
when the negotiated GSS-API context ...
... context() fails. If the server simply assumed
success on the part of the client and completed the authentication
service, it is possible that the client would fail to complete the
authentication method ...
... authentication
service, it is possible that the client would fail to complete the
authentication method, but not be able to retry other methods because
the server had already moved on. To protect against this, a final
...
... GSS_S_COMPLETE with the integ_avail flag not set, the client MUST
conclude the user authentication exchange by sending the following
message:
...
... GSS-API context
is fully established, the server MUST fail the authentication.
If this message is received by the server ...
... per-message integrity protection, the server MUST
fail the authentication.
It is a site policy decision for the server whether or not to permit
...
...
It is a site policy decision for the server whether or not to permit
authentication using GSS-API mechanisms and/or contexts that do not
...
... integrity protection. The server MAY fail the
otherwise valid gssapi-with-mic authentication if per-message
integrity protection ...
... methods, successful completion is
indicated by an SSH_MSG_USERAUTH_SUCCESS if no other authentication
is required, or an SSH_MSG_USERAUTH_FAILURE with the partial success
...
... is required, or an SSH_MSG_USERAUTH_FAILURE with the partial success
flag set if the server requires further authentication. This packet
SHOULD be sent immediately following receipt of the
SSH ...
... error token
This message implies that the authentication is about to fail, and is
defined to allow the error token to be communicated without losing
...
... SSH_MSG_USERAUTH_FAILURE message, which is to be interpreted as
applying to the same authentication request. A client receiving this
...
... message SHOULD wait for the following SSH_MSG_USERAUTH_FAILURE
message before beginning another authentication attempt.
When a client ...
... When a client sends this message, it MUST be followed by a new
authentication request or by terminating the connection. A server
receiving ...
... reply, since such a message might otherwise be interpreted by a
client as a response to the following authentication sequence.
Any server sending this message MUST ignore any SSH ...
... Authentication Using GSS-API Key Exchange ...
... framework described in [SSH-USERAUTH]. This method performs user
authentication by making use of an existing GSS-API context
...
... key exchange.
The authentication method name for this protocol is "gssapi-keyex".
This method ...
... MIC
is not valid, the user authentication fails, and the server MUST
return SSH_MSG_USERAUTH_FAILURE.
...
... can be used when the administrator has decided as a matter of policy
to require that all key exchanges be authenticated using Kerberos
[KRB5 ...
... KRB5], and thus the only permitted key exchange method is the
GSS-API-authenticated Diffie-Hellman exchange described above, with
Kerberos ...
... algorithm. This is not a significant problem, since in
the configuration described, it will also be unable to interoperate
with implementations that do not support the GSS-API-authenticated
key exchange and Kerberos ...
... The following message numbers have been defined for use with the
'gssapi-with-mic' user authentication method:
...
... MIC 66
The numbers 60-79 are specific to user authentication and may be
redefined by other user auth methods. Note that in the method ...
...
Because the GSS-API mechanism uses the targ_name to authenticate the
server's identity, it is important that it be determined in a secure
...
... [SPNEGO] in conjunction with the authentication and key exchange
methods described in this document is both unnecessary and
undesirable. As a result, mechanisms conforming to this document
...
... Since SSH performs its own negotiation of authentication and key
exchange methods, the negotiation capability of SPNEGO ...
... including the lists of key exchange mechanisms supported by both
sides. In the case of user authentication, the protection is not
needed because the negotiation occurs over a secure channel ...
... SSH-TRANSPORT] and/or the negotiation algorithm for user
authentication methods as described in [SSH-USERAUTH].
...
...
The SSH user authentication method name "gssapi-with-mic", to name
the GSS-API user authentication ...
... user authentication method name "gssapi-with-mic", to name
the GSS-API user authentication method defined in Section 3.
...
...
The SSH user authentication method name "gssapi-keyex", to name
the GSS-API user authentication ...
... user authentication method name "gssapi-keyex", to name
the GSS-API user authentication method defined in Section 4.
...
...
The SSH user authentication method name "gssapi" is to be
reserved, in order to avoid conflicts with implementations
...
...
The SSH user authentication method name "external-keyx" is to be
reserved, in order to avoid conflicts with implementations
...
...
This document describes authentication and key-exchange protocols.
As such, security considerations are discussed throughout.
...
... key exchange method described in Section 2 depends on the
underlying GSS-API mechanism to provide both mutual authentication
and per-message integrity services ...
... secure and MUST fail.
In order for the "external-keyx" user authentication method to be
used, it MUST have access to user authentication ...
... user authentication method to be
used, it MUST have access to user authentication information obtained
as a side-effect of the key exchange ...
... key exchange. If this information is
unavailable, the authentication MUST fail.
Revealing information about the reason for an authentication failure ...
... authentication MUST fail.
Revealing information about the reason for an authentication failure
may be considered by some sites to be an unacceptable security risk
...
... Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Authentication Protocol", RFC 4252prop, January 2006. ...
... Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120prop, July 2005. ...