Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 187211 - RFE: Include GSSAPI Key Exchange support in OpenSSH RPM
Summary: RFE: Include GSSAPI Key Exchange support in OpenSSH RPM
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jan F. Chadima
QA Contact: Brian Brock
URL: http://www.sxw.org.uk/computing/patch...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-29 09:11 UTC by Simon Wilkinson
Modified: 2009-04-28 08:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-28 08:02:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenSSH Project 1242 None None None Never

Description Simon Wilkinson 2006-03-29 09:11:14 UTC
The GSSAPI support in the distributed OpenSSH supports user authentication only.
This means that site administrators are still required to maintain ssh known hosts
lists, which is a significant chore for large sites. GSSAPI key exchange allows 
the use of Kerberos to authenticate the server to the client, and so removes the
need for known hosts files.

Many other vendors already distribute OpenSSH (or their own SSH client) with
GSSAPI key exchange support - amongst those doing so are Debian, Apple and Sun.

Patches to implement GSSAPI key exchange are available from this bugs URL, and
have been in widespread use for a number of years.

It would be great to get this support into Fedora / RHEL, to avoid everyone
having to build their own OpenSSH RPMS. The I-D documenting both key exchange
and userauth is in the RFC editor queue, making further changes to the protocol
unlikely.

Comment 1 Tomas Mraz 2006-03-29 10:44:15 UTC
This is interesting enhancement request however we generally prefer keeping our
packages as close to upstream as possible. Was this patch submitted upstream to
the openssh development mailing lists or bugzilla.mindrot.org? If yes what was
the upstream developers' reaction?


Comment 2 Simon Wilkinson 2006-03-30 21:09:18 UTC
It was pushed upstream at the same time as the GSSAPI user authentication code. 
After a considerable amount of discussion, the OpenSSH folks elected to take only
the user authentication code.

Upstream were concerned about the complexity of the entire GSSAPI patch drop. A 
number of things got cut in order to simplify the code to meet their requirements
(decent error reporting, for one) Unfortunately, they also couldn't be convinced
of key exchange's benefits for those sites running Kerberos infrastructures.


Comment 3 Tomas Mraz 2006-06-28 11:21:20 UTC
Well if they were concerned about the complexity of the entire GSSAPI patch
maybe they could accept the key exchange patch now that the client
authentication part of the patch is already there for a long time.

Could you try to resubmit the patch to bugzilla.mindrot.org so it can be
reconsidered?

I have also one question - how can I disable the key exchange on the client side
so the server is verified by the normal public key method?


Comment 4 Simon Wilkinson 2006-09-09 14:03:20 UTC
I have a patch which I'll be submitting following the forthcoming
4.4 release.

The new GSSAPI key-exchange patch includes support for the 
'GSSAPIKeyExchange' option on the client, as well as the server, 
which should solve your second issue.

I'll leave updating the 'I am providing the requested information' 
box until I have a bugzilla.mindrot.org bug to reference here.

Comment 5 Simon Wilkinson 2006-10-02 18:19:08 UTC
I've added the patch to bugzilla.mindrot.org. In the hope of making it acceptable to them, its a minimalist 
version of the patch I distribute from my website, without the other features that patch includes, which I'm 
breaking out into individual bugs, on bugzilla.mindrot.org


Comment 6 Colin.Simpson 2007-12-04 23:21:19 UTC
Can I Second this request? It makes total sense for large sites.

Comment 7 Tomas Mraz 2007-12-05 08:28:25 UTC
If you want to lobby somewhere for this feature, please do that in the upstream
bugzilla.mindrot.org.



Comment 8 Fedora Admin XMLRPC Client 2009-03-10 09:20:42 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Fedora Admin XMLRPC Client 2009-03-10 10:17:50 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 10 Fedora Admin XMLRPC Client 2009-03-10 10:19:45 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 11 Colin.Simpson 2009-03-10 10:30:14 UTC
If this is again being considered can the "Cascading Credentials" part of the "Key Exchange" patch be considered at the same time.

http://www.sxw.org.uk/computing/patches/openssh.html

Both look right the correct thing to do particularly in a IPA environment.

Comment 12 Jan F. Chadima 2009-04-28 08:02:06 UTC
We believe that it is more appropriate for this issue to be resolved upstream.
Red Hat will continue to track the issue in the centralized upstream bug tracker, and will review any bug fixes that become available for consideration in future updates.
Thank you for the bug report.


Note You need to log in before you can comment on or make changes to this bug.