GSS
Click on the red underlined text to get to the source
... user authentication in the Secure Shell protocol using the GSS-API.
To do this, it defines a family of key exchange methods, two user
authentication ...
... methods, and a new host key algorithm. These
definitions allow any GSS-API mechanism to be used with the Secure
Shell protocol.
...
... service
name is an SSH service name and has no relationship to GSS-API
service names. Currently, the only defined service name ...
... GSS-API-Authenticated Diffie-Hellman Key Exchange ...
... SSH-TRANSPORT] with
mutual authentication using GSS-API.
Since the GSS-API key exchange methods ...
... GSS-API.
Since the GSS-API key exchange methods described in this section do
not require the use of public key signature or encryption algorithms ...
... Generic GSS-API Key Exchange ...
... token once the context has
been established, it is not necessary that the GSS-API context
support detection of replayed or out-of-sequence tokens ...
...
* If the resulting major_status code is GSS_S_COMPLETE and the
mutual_state flag is not true, then mutual authentication ...
...
* If the resulting major_status code is GSS_S_COMPLETE and the
integ_avail flag is not true, then per-message integrity
protection ...
...
* If the resulting major_status code is GSS_S_COMPLETE and both
the mutual_state and integ_avail flags are true, the resulting
...
...
* If the resulting major_status code is GSS_S_CONTINUE_NEEDED,
the output_token is sent to S, which will reply with a new
...
... token is sent to S, which will reply with a new
token to be provided to GSS_Init_sec_context().
...
...
* If the resulting major_status code is GSS_S_COMPLETE and the
mutual_state flag is not true, then mutual authentication ...
...
* If the resulting major_status code is GSS_S_COMPLETE and the
integ_avail flag is not true, then per-message integrity
protection ...
...
* If the resulting major_status code is GSS_S_COMPLETE and both
the mutual_state and integ_avail flags are true, then the
...
...
* If the resulting major_status code is GSS_S_CONTINUE_NEEDED,
then the output token is sent to C, and processing continues
...
... mod p. It computes K = e ^ y mod p, and H = hash(V_C || V_S ||
I_C || I_S || K_S || e || f || K). It then calls GSS_GetMIC() to
obtain a GSS-API message integrity code ...
... I_C || I_S || K_S || e || f || K). It then calls GSS_GetMIC() to
obtain a GSS-API message integrity code for H. S then sends f
and the message integrity code ...
...
5. This step is performed only (1) if the server's final call to
GSS_Accept_sec_context() produced a non-zero-length final reply
...
... token to be sent to the client and (2) if no previous call by the
client to GSS_Init_sec_context() has resulted in a major_status
of GSS ...
... GSS_Init_sec_context() has resulted in a major_status
of GSS_S_COMPLETE. Under these conditions, the client makes an
...
... token. This call is made exactly as described above.
However, if the resulting major_status is anything other than
GSS_S_COMPLETE, or a non-zero-length token is returned, it is an
...
... 6. C computes K = f^x mod p, and H = hash(V_C || V_S || I_C || I_S
|| K_S || e || f || K). It then calls GSS_VerifyMIC() to verify
that the MIC sent by S matches H. If the MIC ...
... If any call to GSS_Init_sec_context() or GSS_Accept_sec_context()
returns a major_status other than GSS ...
... GSS_Accept_sec_context()
returns a major_status other than GSS_S_COMPLETE or
GSS_S_CONTINUE_NEEDED, or any other GSS-API ...
... returns a major_status other than GSS_S_COMPLETE or
GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a
major_status other than GSS ...
... GSS_S_COMPLETE or
GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a
major_status other than GSS_S_COMPLETE, the key exchange ...
... GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a
major_status other than GSS_S_COMPLETE, the key exchange fails. In
this case, several mechanisms are available for communicating error
...
...
o If the key exchange fails due to any GSS-API error on the server
(including errors returned by GSS_Accept_sec_context ...
... key exchange fails due to any GSS-API error on the server
(including errors returned by GSS_Accept_sec_context()), the
server MAY send a message informing the client ...
...
o If the key exchange fails due to a GSS-API error returned from the
server's call to GSS_Accept_sec_context ...
... key exchange fails due to a GSS-API error returned from the
server's call to GSS_Accept_sec_context(), and an "error token" is
...
... GSS-API error returned from the
client's call to GSS_Init_sec_context(), and an "error token" is
...
... client SHOULD send the error token to the
server to allow completion of the GSS security exchange.
...
... group used for Diffie-Hellman key exchange and the
underlying GSS-API mechanism are also defined by the method name.
...
... connection in such cases.
By contrast, when GSS-API-based key exchange is used, host keys sent
via the SSH ...
... SSH_MSG_KEXGSS_HOSTKEY message are authenticated as part of
the GSS-API key exchange, even when previously unknown to the client.
Further, in environments in which GSS-API-based key exchange ...
... GSS-API key exchange, even when previously unknown to the client.
Further, in environments in which GSS-API-based key exchange is used
heavily, it is possible and even likely that host keys will change
...
... clients SHOULD NOT issue strong
warnings or abort the connection, provided the GSS-API-based key
exchange succeeds.
In order to facilitate key re-exchange ...
...
In order to facilitate key re-exchange after the user's GSS-API
credentials have expired, client ...
... session, even when such keys are not stored for long-term use.
Each time the server's call to GSS_Accept_sec_context() returns a
major_status code ...
... context() returns a
major_status code of GSS_S_CONTINUE_NEEDED, it sends the following
reply to the client:
...
... If the client receives this message after a call to
GSS_Init_sec_context() has returned a major_status code of
...
... context() has returned a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
...
... Each time the client receives the message described above, it makes
another call to GSS_Init_sec_context(). It then sends the following:
...
... The server and client continue to trade these two messages as long as
the server's calls to GSS_Accept_sec_context() result in major_status
codes of GSS ...
... GSS_Accept_sec_context() result in major_status
codes of GSS_S_CONTINUE_NEEDED. When a call results in a
major_status code of GSS ...
... GSS_S_CONTINUE_NEEDED. When a call results in a
major_status code of GSS_S_COMPLETE, it sends one of two final
messages.
...
... messages.
If the server's final call to GSS_Accept_sec_context() (resulting in
a major_status code ...
... context() (resulting in
a major_status code of GSS_S_COMPLETE) returns a non-zero-length
token ...
... If the client receives this message after a call to
GSS_Init_sec_context() has returned a major_status code of
...
... context() has returned a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
...
... MUST fail.
If the server's final call to GSS_Accept_sec_context() (resulting in
a major_status code ...
... context() (resulting in
a major_status code of GSS_S_COMPLETE) returns a zero-length token or
no token ...
... If the client receives this message when no call to
GSS_Init_sec_context() has yet resulted in a major_status code of
...
... context() has yet resulted in a major_status code of
GSS_S_COMPLETE, a protocol error has occurred and the key exchange
...
... GSS_Init_sec_context() or the server's
call to GSS_Accept_sec_context() returns an error status and produces
...
... further messages.
In the event of a GSS-API error on the server, the server MAY send
the following message before terminating the connection:
...
...
This section describes a modification to the generic GSS-API-
authenticated Diffie-Hellman key ...
...
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.1 with SHA-1 as HASH ...
... encoding [ASN1] of the underlying
GSS-API mechanism's Object Identifier (OID). Base64 encoding ...
... key exchange methods; this does NOT imply that the IESG is
considered to be the owner of the underlying GSS-API mechanism.
...
...
Each of these methods specifies GSS-API authenticated Diffie-Hellman
key exchange as described in Section 2.1 with SHA-1 ...
... encoding [ASN1] of the underlying GSS-API mechanism's OID. Base64
encoding is described in Section 6.8 of [MIME ...
... key exchange methods; this does NOT imply that the IESG is
considered to be the owner of the underlying GSS-API mechanism.
...
...
Each of these methods specifies GSS-API-authenticated Diffie-Hellman
key exchange as described in Section 2.2 with SHA-1 as HASH ...
... key exchange methods; this does NOT imply that the IESG is
considered to be the owner of the underlying GSS-API mechanism.
...
... Other GSS-API Key Exchange Methods ...
... key
exchange methods that conform to this document; in particular, for
those methods that use the GSS-API-authenticated Diffie-Hellman key
exchange algorithm ...
... GSS-API User Authentication ...
... GSS-API Authentication Overview ...
... client sends a new
SSH_MSG_USERAUTH_REQUEST packet, the GSS-API context is completely
discarded and destroyed, and any further GSS-API ...
... GSS-API context is completely
discarded and destroyed, and any further GSS-API authentication MUST
restart ...
... SSH server implementation verifies that the user
name is authorized based on the credentials exchanged in the GSS-API
exchange. If the user name is not authorized, then the
...
... Initiating GSS-API Authentication ...
...
The client SHOULD send GSS-API mechanism OIDs only for mechanisms
that are of the same priority ...
... OIDs only for mechanisms
that are of the same priority, compared to non-GSS-API authentication
methods. Otherwise, authentication methods may be executed out of
order ...
... client could first send an SSH_MSG_USERAUTH_REQUEST
for one GSS-API mechanism, then try public key authentication, and
then try another GSS-API mechanism ...
... GSS-API mechanism, then try public key authentication, and
then try another GSS-API mechanism.
If the server does not support any of the specified OIDs ...
... The user name may be an empty string if it can be deduced from the
results of the GSS-API authentication. If the user name is not
...
... user name and determines
whether the client is authorized based on his GSS-API credentials.
In particular, the encoding ...
... TOKEN packets. These packets contain the
tokens produced from the 'GSS_Init_sec_context()' and
'GSS ...
... GSS_Init_sec_context()' and
'GSS_Accept_sec_context()' calls. The actual number of packets
exchanged is determined by the underlying GSS-API mechanism ...
... GSS_Accept_sec_context()' calls. The actual number of packets
exchanged is determined by the underlying GSS-API mechanism.
byte SSH ...
... GSSAPI_TOKEN messages are sent if and
only if the calls to the GSS-API routines produce send tokens of non-
zero length.
...
...
Any major status code other than GSS_S_COMPLETE or
GSS_S_CONTINUE_NEEDED SHOULD be a failure.
...
... client and server, thus gaining access to the real
server. This additional protection is available when the negotiated
GSS-API context supports per-message integrity protection ...
... integrity protection, as
indicated by the setting of the integ_avail flag on successful return
from GSS_Init_sec_context() or GSS_Accept_sec_context ...
... GSS_Init_sec_context() returns
GSS_S_COMPLETE with the integ_avail flag set, the client MUST
conclude the user authentication ...
...
The contents of the MIC field are obtained by calling GSS_GetMIC()
over the following, using the GSS-API context ...
... MIC field are obtained by calling GSS_GetMIC()
over the following, using the GSS-API context that was just
established:
...
...
If this message is received by the server before the GSS-API context
is fully established, the server MUST fail the authentication ...
...
If this message is received by the server when the negotiated GSS-API
context does not support per-message ...
... Some servers may wish to permit user authentication to proceed even
when the negotiated GSS-API context does not support per-message
...
... integrity protection. In such cases, it is possible for the server
to successfully complete the GSS-API method, while the client's last
...
... method, while the client's last
call to GSS_Init_sec_context() fails. If the server simply assumed
success on the part of the client ...
... GSS_Init_sec_context() returns
GSS_S_COMPLETE with the integ_avail flag not set, the client MUST
conclude the user authentication ...
... GSSAPI_EXCHANGE_COMPLETE
This message MUST be sent only if GSS_Init_sec_context() returned
GSS ...
...
If this message is received by the server before the GSS-API context
is fully established, the server MUST fail the authentication ...
...
If this message is received by the server when the negotiated GSS-API
context supports per-message ...
... It is a site policy decision for the server whether or not to permit
authentication using GSS-API mechanisms and/or contexts that do not
support per-message ...
...
In the event that a GSS-API error occurs on the server during context
establishment, the server MAY send the following message to inform
...
... context establishment, a client's call to
GSS_Init_sec_context() or a server's call to GSS_Accept_sec_context ...
... Authentication Using GSS-API Key Exchange ...
... SSH-USERAUTH]. This method performs user
authentication by making use of an existing GSS-API context
established during key exchange ...
... method may be used only if the initial key exchange was
performed using a GSS-API-based key exchange method defined in
accordance with Section 2. The GSS-API ...
... GSS-API-based key exchange method defined in
accordance with Section 2. The GSS-API context used with this method
...
... context used with this method
is always that established during an initial GSS-API-based key
exchange. Any context established during key exchange for the
...
... SSH_MSG_USERAUTH_FAILURE) if the
initial key exchange was performed using a GSS-API-based key exchange
method and provides information about the user's identity ...
... method if the initial
key exchange was not performed using a GSS-API-based key exchange
method defined in accordance with Section 2.
...
... method if it is advertised by
the server, initial key exchange was performed using a GSS-API-based
key exchange method, and this method has not already been tried. The
...
... method if initial key exchange was not performed
using a GSS-API-based key exchange method defined in accordance with
Section 2.
...
... If a server receives a request for this method when initial key
exchange was not performed using a GSS-API-based key exchange method
defined in accordance with Section 2, it MUST return
...
...
The contents of the MIC field are obtained by calling GSS_GetMIC over
the following, using the GSS-API context ...
... MIC field are obtained by calling GSS_GetMIC over
the following, using the GSS-API context that was established during
initial key exchange ...
... receiving this message when initial key exchange was performed
using a GSS-API-based key exchange method, the server uses
GSS ...
... GSS-API-based key exchange method, the server uses
GSS_VerifyMIC() to verify that the MIC received is valid. If the MIC ...
... KRB5], and thus the only permitted key exchange method is the
GSS-API-authenticated Diffie-Hellman exchange described above, with
Kerberos ...
... Diffie-Hellman exchange described above, with
Kerberos V5 as the underlying GSS-API mechanism. In such a
configuration, the server implementation supports the "ssh-dss" key
algorithm ...
... algorithm. This is not a significant problem, since in
the configuration described, it will also be unable to interoperate
with implementations that do not support the GSS-API-authenticated
key exchange and Kerberos ...
...
The following message numbers have been defined for use with GSS-
API-based key exchange methods ...
... GSS-API Considerations ...
...
In order to establish a GSS-API security context, the SSH client
needs to determine the appropriate targ_name to use in identifying
...
... SSH client
needs to determine the appropriate targ_name to use in identifying
the server when calling GSS_Init_sec_context(). For this purpose,
the GSS-API mechanism ...
... GSS_Init_sec_context(). For this purpose,
the GSS-API mechanism-independent name form for host-based services
...
... GSSAPI].
In particular, the targ_name to pass to GSS_Init_sec_context() is
obtained by calling GSS ...
... GSS_Init_sec_context() is
obtained by calling GSS_Import_name() with an input_name_type of
GSS_C_NT_HOSTBASED ...
... obtained by calling GSS_Import_name() with an input_name_type of
GSS_C_NT_HOSTBASED_SERVICE, and an input_name_string consisting of
...
... SSH server.
Because the GSS-API mechanism uses the targ_name to authenticate the
server's identity ...
... from the hostname as typed by the user; unfortunately, because some
GSS-API mechanisms do not canonicalize hostnames, it is likely that
this technique will fail if the user has not typed a fully-qualified,
...
... undesirable. As a result, mechanisms conforming to this document
MUST NOT use SPNEGO as the underlying GSS-API mechanism.
Since SSH ...
...
Normally, SPNEGO provides the added benefit of protecting the GSS-API
mechanism negotiation. It does this by having the server compute a
MIC ...
...
The use of SPNEGO combined with GSS-API mechanisms used without
SPNEGO can lead to interoperability ...
... that supports key exchange using the Kerberos V5 GSS-API mechanism
[KRB5-GSS] only underneath SPNEGO ...
... that supports key exchange only using the Kerberos V5 GSS-API
mechanism directly. As a result, allowing GSS-API mechanisms to be
used both with and without SPNEGO ...
... key exchange only using the Kerberos V5 GSS-API
mechanism directly. As a result, allowing GSS-API mechanisms to be
used both with and without SPNEGO is undesirable.
...
...
If a client's policy is to first prefer GSS-API-based key exchange
method X, then non-GSS-API ...
... method X, then non-GSS-API method Y, then GSS-API-based method Z, and
if a server supports mechanisms Y and Z but not X, then an attempt to
...
... if a server supports mechanisms Y and Z but not X, then an attempt to
use SPNEGO to negotiate a GSS-API mechanism might result in the use
of method Z when method ...
... user authentication method name "gssapi-with-mic", to name
the GSS-API user authentication method defined in Section 3.
...
... user authentication method name "gssapi-keyex", to name
the GSS-API user authentication method defined in Section 4.
...
...
This protocol depends on the SSH protocol itself, the GSS-API, any
underlying GSS-API mechanisms that are used, and any protocols on
...
... SSH protocol itself, the GSS-API, any
underlying GSS-API mechanisms that are used, and any protocols on
which such mechanisms might depend. Each of these components plays a
part in the security ...
... The key exchange method described in Section 2 depends on the
underlying GSS-API mechanism to provide both mutual authentication
and per-message ...
... per-message integrity services. If either of these features is
not supported by a particular GSS-API mechanism, or by a particular
implementation of a GSS-API mechanism, then the key exchange ...
... not supported by a particular GSS-API mechanism, or by a particular
implementation of a GSS-API mechanism, then the key exchange is not
secure and MUST fail.
...
... Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2", RFC 4121prop, July 2005. ...
... Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism", RFC 4178prop, October 2005. ...