Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
RFC 4462
|
| Document |
Type |
|
RFC - Proposed Standard
(May 2006; Errata)
|
|
Last updated |
|
2018-12-20
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
htmlized
with errata
bibtex
|
| Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
RFC 4462 (Proposed Standard)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Sam Hartman
|
|
Send notices to |
|
(None)
|
Network Working Group J. Hutzelman
Request for Comments: 4462 CMU
Category: Standards Track J. Salowey
Cisco Systems
J. Galbraith
Van Dyke Technologies, Inc.
V. Welch
U Chicago / ANL
May 2006
Generic Security Service Application Program Interface (GSS-API)
Authentication and Key Exchange for the Secure Shell (SSH) Protocol
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The Secure Shell protocol (SSH) is a protocol for secure remote login
and other secure network services over an insecure network.
The Generic Security Service Application Program Interface (GSS-API)
provides security services to callers in a mechanism-independent
fashion.
This memo describes methods for using the GSS-API for authentication
and key exchange in SSH. It defines an SSH user authentication
method that uses a specified GSS-API mechanism to authenticate a
user, and a family of SSH key exchange methods that use GSS-API to
authenticate a Diffie-Hellman key exchange.
This memo also defines a new host public key algorithm that can be
used when no operations are needed using a host's public key, and a
new user authentication method that allows an authorization name to
be used in conjunction with any authentication that has already
occurred as a side-effect of GSS-API-based key exchange.
Hutzelman, et al. Standards Track [Page 1]
RFC 4462 SSH GSS-API Methods May 2006
Table of Contents
1. Introduction ....................................................3
1.1. SSH Terminology ............................................3
1.2. Key Words ..................................................3
2. GSS-API-Authenticated Diffie-Hellman Key Exchange ...............3
2.1. Generic GSS-API Key Exchange ...............................4
2.2. Group Exchange ............................................10
2.3. gss-group1-sha1-* .........................................11
2.4. gss-group14-sha1-* ........................................12
2.5. gss-gex-sha1-* ............................................12
2.6. Other GSS-API Key Exchange Methods ........................12
3. GSS-API User Authentication ....................................13
3.1. GSS-API Authentication Overview ...........................13
3.2. Initiating GSS-API Authentication .........................13
3.3. Initial Server Response ...................................14
3.4. GSS-API Session ...........................................15
3.5. Binding Encryption Keys ...................................16
3.6. Client Acknowledgement ....................................16
3.7. Completion ................................................17
3.8. Error Status ..............................................17
3.9. Error Token ...............................................18
4. Authentication Using GSS-API Key Exchange ......................19
5. Null Host Key Algorithm ........................................20
6. Summary of Message Numbers .....................................21
7. GSS-API Considerations .........................................22
7.1. Naming Conventions ........................................22
7.2. Channel Bindings ..........................................22
7.3. SPNEGO ....................................................23
8. IANA Considerations ............................................24
9. Security Considerations ........................................24
10. Acknowledgements ..............................................25
11. References ....................................................26
11.1. Normative References .....................................26
11.2. Informative References ...................................27
Hutzelman, et al. Standards Track [Page 2]
RFC 4462 SSH GSS-API Methods May 2006
1. Introduction
This document describes the methods used to perform key exchange and
Show full document text