User Authentication
Click on the red underlined text to get to the source
... methods used to perform key exchange and
user authentication in the Secure Shell protocol using the GSS-API.
...
... GSS-API.
To do this, it defines a family of key exchange methods, two user
authentication methods, and a new host key algorithm. These
...
... SSH-ARCH], transport layer
protocol [SSH-TRANSPORT], and user authentication protocol
[SSH-USERAUTH]. This document freely uses terminology and notation
...
... host, the setting of anon_req_flag is immaterial to this process.
If the client does not support the "gssapi-keyex" user
authentication method described in Section 4, or does not intend
to use that method ...
... GSS-API User Authentication ...
... based on [GSSAPI]. It is intended to be run over the SSH user
authentication protocol [SSH-USERAUTH].
...
... by the user.
Since the user authentication process by its nature authenticates
only the client ...
... this process. This flag SHOULD be set to "false".
Since the user authentication process will involve the exchange of
only a single token once the context ...
... attacker who has convinced a client
of his authenticity cannot then relay user authentication messages
between the real client and server, thus gaining access to the real
...
... GSS_S_COMPLETE with the integ_avail flag set, the client MUST
conclude the user authentication exchange by sending the following
message:
...
...
Some servers may wish to permit user authentication to proceed even
when the negotiated GSS-API context ...
... GSS_S_COMPLETE with the integ_avail flag not set, the client MUST
conclude the user authentication exchange by sending the following
message:
...
... framework described in [SSH-USERAUTH]. This method performs user
authentication by making use of an existing GSS-API context
...
... MIC
is not valid, the user authentication fails, and the server MUST
return SSH_MSG_USERAUTH_FAILURE.
...
... The following message numbers have been defined for use with the
'gssapi-with-mic' user authentication method:
...
... MIC 66
The numbers 60-79 are specific to user authentication and may be
redefined by other user auth methods. Note that in the method ...
... including the lists of key exchange mechanisms supported by both
sides. In the case of user authentication, the protection is not
needed because the negotiation occurs over a secure channel ...
... SSH-TRANSPORT] and/or the negotiation algorithm for user
authentication methods as described in [SSH-USERAUTH].
...
...
The SSH user authentication method name "gssapi-with-mic", to name
the GSS-API user authentication ...
... user authentication method name "gssapi-with-mic", to name
the GSS-API user authentication method defined in Section 3.
...
...
The SSH user authentication method name "gssapi-keyex", to name
the GSS-API user authentication ...
... user authentication method name "gssapi-keyex", to name
the GSS-API user authentication method defined in Section 4.
...
...
The SSH user authentication method name "gssapi" is to be
reserved, in order to avoid conflicts with implementations
...
...
The SSH user authentication method name "external-keyx" is to be
reserved, in order to avoid conflicts with implementations
...
... secure and MUST fail.
In order for the "external-keyx" user authentication method to be
used, it MUST have access to user authentication ...
... user authentication method to be
used, it MUST have access to user authentication information obtained
as a side-effect of the key exchange ...