context
Click on the red underlined text to get to the source
...
2. C calls GSS_Init_sec_context(), using the most recent reply token
received from S during this exchange, if any. For this call, the
...
... per-message integrity protection be
supported for this context. In addition, deleg_req_flag MAY be
set to "true" to request access delegation, if requested by the
user ...
... method in conjunction with the GSS-API context
established during key exchange, then anon_req_flag SHOULD be set
...
... key exchange process will
involve the exchange of only a single token once the context has
been established, it is not necessary that the GSS-API context ...
... context has
been established, it is not necessary that the GSS-API context
support detection of replayed or out-of-sequence tokens. Thus,
...
... the mutual_state and integ_avail flags are true, then the
security context has been established, and processing
continues with step 4.
...
... 5. This step is performed only (1) if the server's final call to
GSS_Accept_sec_context() produced a non-zero-length final reply
token ...
... client and (2) if no previous call by the
client to GSS_Init_sec_context() has resulted in a major_status
of GSS_S_COMPLETE. Under these conditions, the client ...
...
additional call to GSS_Init_sec_context() to process the final
reply token. This call is made exactly as described above.
...
... GSS_Init_sec_context() or GSS_Accept_sec_context()
returns a major_status other than GSS_S_COMPLETE or
...
... GSS-API error on the server
(including errors returned by GSS_Accept_sec_context()), the
server MAY send a message informing the client of the details of
...
... GSS-API error returned from the
server's call to GSS_Accept_sec_context(), and an "error token" is
also returned, then the server SHOULD send the error token ...
... client's call to GSS_Init_sec_context(), and an "error token" is
also returned, then the client ...
... client receives this message after a call to
GSS_Init_sec_context() has returned a major_status code of
GSS ...
... client receives the message described above, it makes
another call to GSS_Init_sec_context(). It then sends the following:
byte SSH ...
... client continue to trade these two messages as long as
the server's calls to GSS_Accept_sec_context() result in major_status
codes of GSS_S_CONTINUE_NEEDED. When a call results in a
...
...
If the server's final call to GSS_Accept_sec_context() (resulting in
a major_status code of GSS ...
... client receives this message after a call to
GSS_Init_sec_context() has returned a major_status code of
GSS ...
...
If the server's final call to GSS_Accept_sec_context() (resulting in
a major_status code of GSS ...
... client receives this message when no call to
GSS_Init_sec_context() has yet resulted in a major_status code of
GSS ...
... If either the client's call to GSS_Init_sec_context() or the server's
call to GSS_Accept_sec_context ...
... context() or the server's
call to GSS_Accept_sec_context() returns an error status and produces
an output token ...
... SSH_MSG_USERAUTH_REQUEST packet, the GSS-API context is completely
discarded and destroyed, and any further GSS-API authentication ...
... context()' and
'GSS_Accept_sec_context()' calls. The actual number of packets
exchanged is determined by the underlying GSS-API mechanism.
...
... context()
or GSS_Accept_sec_context()
If an error occurs during this exchange on server side ...
...
When calling GSS_Init_sec_context(), the client MUST set
integ_req_flag to "true" to request that per-message ...
... integ_req_flag to "true" to request that per-message integrity
protection be supported for this context. In addition,
deleg_req_flag MAY be set to "true" to request access delegation, if
...
... user authentication process will involve the exchange of
only a single token once the context has been established, it is not
necessary that the context support detection of replayed or out-of-
...
... token once the context has been established, it is not
necessary that the context support detection of replayed or out-of-
sequence tokens. Thus, the setting of replay_det_req_flag and
...
... server. This additional protection is available when the negotiated
GSS-API context supports per-message integrity protection, as
...
... indicated by the setting of the integ_avail flag on successful return
from GSS_Init_sec_context() or GSS_Accept_sec_context().
...
... When the client's call to GSS_Init_sec_context() returns
GSS_S_COMPLETE with the integ_avail flag set, the client ...
...
This message MUST be sent only if GSS_Init_sec_context() returned
GSS_S_COMPLETE. If a token ...
... If this message is received by the server before the GSS-API context
is fully established, the server MUST fail the authentication.
...
... by the server when the negotiated GSS-API
context does not support per-message integrity protection, the server
...
... user authentication to proceed even
when the negotiated GSS-API context does not support per-message
integrity protection ...
... client's last
call to GSS_Init_sec_context() fails. If the server simply assumed
success on the part of the client and completed the authentication
service ...
... When the client's call to GSS_Init_sec_context() returns
GSS_S_COMPLETE with the integ_avail flag not set, the client ...
...
This message MUST be sent only if GSS_Init_sec_context() returned
GSS_S_COMPLETE. If a token ...
... If this message is received by the server before the GSS-API context
is fully established, the server MUST fail the authentication.
...
... by the server when the negotiated GSS-API
context supports per-message integrity protection, the server MUST
...
... authentication using GSS-API mechanisms and/or contexts that do not
support per-message integrity protection ...
...
In the event that a GSS-API error occurs on the server during context
establishment, the server MAY send the following message to inform
the client ...
... GSS_Init_sec_context() or a server's call to GSS_Accept_sec_context()
returns a token along with an error status ...
... method performs user
authentication by making use of an existing GSS-API context
established during key exchange.
...
... method defined in
accordance with Section 2. The GSS-API context used with this method
is always that established during an initial GSS-API-based key
exchange ...
... method
is always that established during an initial GSS-API-based key
exchange. Any context established during key exchange for the
purpose of rekeying ...
... GSS_GetMIC over
the following, using the GSS-API context that was established during
initial key exchange:
...
...
In order to establish a GSS-API security context, the SSH client
needs to determine the appropriate targ_name to use in identifying
...
... needs to determine the appropriate targ_name to use in identifying
the server when calling GSS_Init_sec_context(). For this purpose,
the GSS-API mechanism-independent name form for host-based ...
...
In particular, the targ_name to pass to GSS_Init_sec_context() is
obtained by calling GSS_Import_name() with an input_name_type of
...
... This document recommends that channel bindings SHOULD NOT be
specified in the calls during context establishment. This document
does not specify any standard data to be used as channel bindings,
...