A vanilla install of openssh is incompatible with certain implementations of kerberos (gssapi?, gsi?), debian's ssh-krb5 package provides this, but they don't provide a patch against vanilla openssh. I provide here a patch against openssh-4.1_p1 which provides this functionality. I'm still testing to see if it breaks X509, ldap, sftplogging, or smartcard, but it works quite well otherwise. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 60127 [details, diff] patch against openssh-4.1_p1
Created attachment 60128 [details] Required File
Created attachment 60129 [details] Another Required File
Created attachment 60130 [details] Ebuild with small modification
Looks as though a patch already exists at: http://www.sxw.org.uk/computing/patches/openssh-4.0p1-gssapikex.patch It'd be nice to see this included as an option in openssh.
Never mind, that patch doesn't seem to work, but mine does. Though my patch seems to break the X509 and ldap patches.
send this patch to the openssh bugzilla please http://bugzilla.mindrot.org/
Thanks for the advise, but I don't think it will do any good, the bulk of this patch (kexgsss.c and kexgssc.c) were written two years ago, and from what I can tell openssh refuses to accept the patch. There's a related reference at http://archives.devshed.com/a/ng/508-12/Kerberos-Support-in-OpenSSH From what I can tell, openssh supports user authentication via gssapi/gsi, but refuses to support key-exchange via gssapi/gsi, though I can't find any explaination for why this is true. This hasn't stopped several other groups from using the patch, notably NCSA, Globus, and most important to me Fermilab.
well if you try and they reject it, we can take another look ... the patch you posted isnt exactly a small one which is why i'd be very hesitant to add it if a future release breaks with the patch, i do not have the expertise with the internals of openssh to make sure it still works which means we'd just drop it on the floor