Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
RFC 4462
Document | Type |
RFC - Proposed Standard
(May 2006; Errata)
Updated by RFC 8732
|
|
---|---|---|---|
Authors | Joseph Salowey , Von Welch , Jeffrey Hutzelman , Joseph Galbraith | ||
Last updated | 2020-02-15 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | WG Document | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4462 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | (None) |
Network Working Group J. Hutzelman Request for Comments: 4462 CMU Category: Standards Track J. Salowey Cisco Systems J. Galbraith Van Dyke Technologies, Inc. V. Welch U Chicago / ANL May 2006 Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The Secure Shell protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. The Generic Security Service Application Program Interface (GSS-API) provides security services to callers in a mechanism-independent fashion. This memo describes methods for using the GSS-API for authentication and key exchange in SSH. It defines an SSH user authentication method that uses a specified GSS-API mechanism to authenticate a user, and a family of SSH key exchange methods that use GSS-API to authenticate a Diffie-Hellman key exchange. This memo also defines a new host public key algorithm that can be used when no operations are needed using a host's public key, and a new user authentication method that allows an authorization name to be used in conjunction with any authentication that has already occurred as a side-effect of GSS-API-based key exchange. Hutzelman, et al. Standards Track [Page 1] RFC 4462 SSH GSS-API Methods May 2006 Table of Contents 1. Introduction ....................................................3 1.1. SSH Terminology ............................................3 1.2. Key Words ..................................................3 2. GSS-API-Authenticated Diffie-Hellman Key Exchange ...............3 2.1. Generic GSS-API Key Exchange ...............................4 2.2. Group Exchange ............................................10 2.3. gss-group1-sha1-* .........................................11 2.4. gss-group14-sha1-* ........................................12 2.5. gss-gex-sha1-* ............................................12 2.6. Other GSS-API Key Exchange Methods ........................12 3. GSS-API User Authentication ....................................13 3.1. GSS-API Authentication Overview ...........................13 3.2. Initiating GSS-API Authentication .........................13 3.3. Initial Server Response ...................................14 3.4. GSS-API Session ...........................................15 3.5. Binding Encryption Keys ...................................16 3.6. Client Acknowledgement ....................................16 3.7. Completion ................................................17 3.8. Error Status ..............................................17 3.9. Error Token ...............................................18 4. Authentication Using GSS-API Key Exchange ......................19 5. Null Host Key Algorithm ........................................20 6. Summary of Message Numbers .....................................21 7. GSS-API Considerations .........................................22 7.1. Naming Conventions ........................................22 7.2. Channel Bindings ..........................................22 7.3. SPNEGO ....................................................23 8. IANA Considerations ............................................24 9. Security Considerations ........................................24 10. Acknowledgements ..............................................25 11. References ....................................................26 11.1. Normative References .....................................26 11.2. Informative References ...................................27 Hutzelman, et al. Standards Track [Page 2] RFC 4462 SSH GSS-API Methods May 2006 1. Introduction This document describes the methods used to perform key exchange andShow full document text