Key Exchange
Click on the red underlined text to get to the source
...
This document describes the methods used to perform key exchange and
user authentication in the Secure Shell protocol ...
... Secure Shell protocol using the GSS-API.
To do this, it defines a family of key exchange methods, two user
authentication methods, and a new host key algorithm ...
...
This section defines a class of key exchange methods that combine the
Diffie-Hellman key exchange from Section 8 of [SSH-TRANSPORT ...
... GSS-API.
Since the GSS-API key exchange methods described in this section do
not require the use of public key signature or encryption algorithms ...
... Generic GSS-API Key Exchange ...
... set to "true" to request access delegation, if requested by the
user. Since the key exchange process authenticates only the
host ...
... GSS-API context
established during key exchange, then anon_req_flag SHOULD be set
to "true". Otherwise, this flag MAY be set to true if the client
...
... client
wishes to hide its identity. Since the key exchange process will
involve the exchange of only a single token once the context ...
... state flag is not true, then mutual authentication has
not been established, and the key exchange MUST fail.
* If the resulting major_status code ...
... integ_avail flag is not true, then per-message integrity
protection is not available, and the key exchange MUST fail.
* If the resulting major_status code ...
... client MUST also include "e" with the first message it
sends to the server during this process; if the server
receives more than one "e" or none at all, the key exchange
fails.
...
... * It is an error if the call does not produce a token of non-
zero length to be sent to the server. In this case, the key
exchange MUST fail.
3. S calls GSS ...
... state flag is not true, then mutual authentication has
not been established, and the key exchange MUST fail.
* If the resulting major_status code ...
... integ_avail flag is not true, then per-message integrity
protection is not available, and the key exchange MUST fail.
* If the resulting major_status code ...
... non-zero-length token is returned, it is an
error and the key exchange MUST fail.
6. C computes K = f^x mod p, and H = hash ...
... MIC sent by S matches H. If the MIC is not successfully
verified, the key exchange MUST fail.
Either side MUST NOT send or accept e or f values that are not in the
...
... Either side MUST NOT send or accept e or f values that are not in the
range [1,p-1]. If this condition is violated, the key exchange
fails.
...
... GSS-API call returns a
major_status other than GSS_S_COMPLETE, the key exchange fails. In
this case, several mechanisms are available for communicating error
information to the peer before terminating the connection ...
... SSH-TRANSPORT]:
o If the key exchange fails due to any GSS-API error on the server
(including errors returned by GSS ...
... error token.
o If the key exchange fails due to a GSS-API error returned from the
server's call to GSS ...
... security exchange.
o If the key exchange fails due to a GSS-API error returned from the
client ...
... certificates (K_S)
Since this key exchange method does not require the host key to be
used for any encryption ...
... connection in such cases.
By contrast, when GSS-API-based key exchange is used, host keys sent
via the SSH ...
... SSH_MSG_KEXGSS_HOSTKEY message are authenticated as part of
the GSS-API key exchange, even when previously unknown to the client.
Further, in environments in which GSS-API-based key exchange ...
... GSS-API key exchange, even when previously unknown to the client.
Further, in environments in which GSS-API-based key exchange is used
heavily, it is possible and even likely that host keys will change
...
... clients SHOULD NOT issue strong
warnings or abort the connection, provided the GSS-API-based key
exchange succeeds.
In order to facilitate key re-exchange ...
... hash, and it is used to
authenticate the key exchange. The exchange hash SHOULD be kept
secret. If no SSH ...
... MIME].
Each and every such key exchange method is implicitly registered by
this specification. The IESG is considered to be the owner of all
...
... this specification. The IESG is considered to be the owner of all
such key exchange methods; this does NOT imply that the IESG is
considered to be the owner of the underlying GSS-API mechanism ...
... MIME].
Each and every such key exchange method is implicitly registered by
this specification. The IESG is considered to be the owner of all
...
... this specification. The IESG is considered to be the owner of all
such key exchange methods; this does NOT imply that the IESG is
considered to be the owner of the underlying GSS-API mechanism ...
... MIME].
Each and every such key exchange method is implicitly registered by
this specification. The IESG is considered to be the owner of all
...
... this specification. The IESG is considered to be the owner of all
such key exchange methods; this does NOT imply that the IESG is
considered to be the owner of the underlying GSS-API mechanism ...
... Other GSS-API Key Exchange Methods ...
...
Key exchange method names starting with "gss-" are reserved for key
exchange methods that conform to this document; in particular, for
...
... Key exchange method names starting with "gss-" are reserved for key
exchange methods that conform to this document; in particular, for
those methods that use the GSS-API-authenticated ...
... Authentication Using GSS-API Key Exchange ...
...
This method may be used only if the initial key exchange was
performed using a GSS-API-based key exchange method ...
... method may be used only if the initial key exchange was
performed using a GSS-API-based key exchange method defined in
accordance with Section 2. The GSS-API ...
... context used with this method
is always that established during an initial GSS-API-based key
exchange. Any context established during key exchange for the
...
... is always that established during an initial GSS-API-based key
exchange. Any context established during key exchange for the
purpose of rekeying MUST NOT be used with this method ...
... methods that can continue (in an SSH_MSG_USERAUTH_FAILURE) if the
initial key exchange was performed using a GSS-API-based key exchange
method ...
... SSH_MSG_USERAUTH_FAILURE) if the
initial key exchange was performed using a GSS-API-based key exchange
method and provides information about the user's identity ...
... useful to the server. It MUST NOT include this method if the initial
key exchange was not performed using a GSS-API-based key exchange
method ...
... method if the initial
key exchange was not performed using a GSS-API-based key exchange
method defined in accordance with Section 2.
...
... client SHOULD attempt to use this method if it is advertised by
the server, initial key exchange was performed using a GSS-API-based
key exchange method, and this method ...
... method if it is advertised by
the server, initial key exchange was performed using a GSS-API-based
key exchange method, and this method has not already been tried. The
...
... session. It
MUST NOT try this method if initial key exchange was not performed
using a GSS-API-based key exchange method ...
... method if initial key exchange was not performed
using a GSS-API-based key exchange method defined in accordance with
Section 2.
...
...
If a server receives a request for this method when initial key
exchange was not performed using a GSS-API-based key exchange method
...
... If a server receives a request for this method when initial key
exchange was not performed using a GSS-API-based key exchange method
defined in accordance with Section 2, it MUST return
...
...
Upon receiving this message when initial key exchange was performed
using a GSS-API-based key exchange method ...
... receiving this message when initial key exchange was performed
using a GSS-API-based key exchange method, the server uses
GSS ...
... signature nor encryption algorithms. Thus, it can
be used only with key exchange methods that do not require any
public-key operations and do not require the use of host ...
... host public key
material. The key exchange methods described in Section 2 are
examples of such methods.
...
... Kerberos
[KRB5], and thus the only permitted key exchange method is the
GSS-API-authenticated Diffie-Hellman exchange ...
... SSH-TRANSPORT]), but could be prohibited
by configuration from using it. In this situation, the server needs
some key exchange algorithm to advertise; the "null" algorithm fills
this purpose.
...
... with implementations that do not support the GSS-API-authenticated
key exchange and Kerberos.
...
... Kerberos.
Any implementation supporting at least one key exchange method that
conforms to Section 2 MUST also support the "null" host key
algorithm. Servers MUST NOT advertise the "null" host key algorithm ...
... GROUP 41
The numbers 30-49 are specific to key exchange and may be redefined
by other kex methods.
...
... SPNEGO] in conjunction with the authentication and key exchange
methods described in this document is both unnecessary and
undesirable. As a result, mechanisms conforming to this document
MUST NOT use SPNEGO ...
... SSH performs its own negotiation of authentication and key
exchange methods, the negotiation capability of SPNEGO alone does not
...
... by the client, and then
checking that value at the client. In the case of key exchange, this
protection is not needed because the key exchange methods described
...
... client. In the case of key exchange, this
protection is not needed because the key exchange methods described
here already perform an equivalent operation; namely, they generate a
MIC ...
... hash, which is a hash of several items
including the lists of key exchange mechanisms supported by both
sides. In the case of user authentication, the protection is not
...
... interoperability problems. For example, a client
that supports key exchange using the Kerberos V5 GSS-API mechanism
...
... KRB5-GSS] only underneath SPNEGO will not interoperate with a server
that supports key exchange only using the Kerberos V5 GSS-API
mechanism directly. As a result, allowing GSS-API ...
...
If a client's policy is to first prefer GSS-API-based key exchange
method X, then non-GSS-API ...
... negotiation
algorithm for key exchange methods as described in Section 7.1 of
[SSH-TRANSPORT] and/or the negotiation ...
... method names beginning with "gss-
group1-sha1-" and not containing the at-sign ('@'), to name the
key exchange methods defined in Section 2.3.
The family of SSH key ...
... SSH key exchange method names beginning with "gss-
gex-sha1-" and not containing the at-sign ('@'), to name the key
exchange methods defined in Section 2.5.
All other SSH key ...
... SSH key exchange method names beginning with "gss-" and
not containing the at-sign ('@'), to be reserved for future key
exchange methods defined in conformance with this document, as
noted in Section 2.6.
...
... security considerations.
The key exchange method described in Section 2 depends on the
underlying GSS-API mechanism to provide both mutual authentication ...
... GSS-API mechanism, or by a particular
implementation of a GSS-API mechanism, then the key exchange is not
secure and MUST fail.
...
... user authentication information obtained
as a side-effect of the key exchange. If this information is
unavailable, the authentication ...