Re: GSS-API SRP mech (was Re: retrying keyex ...)

To: Simon Tatham <anakin%pobox.com@localhost>
Subject: Re: GSS-API SRP mech (was Re: retrying keyex ...)
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Thu, 17 Jul 2003 15:46:23 +0200 (CEST)

On Thu, 17 Jul 2003, Simon Tatham wrote:

> Sam Hartman  <hartmans%mit.edu@localhost> wrote:
> [existing implementations of SRP authentication in SSH]
> > Please don't; use Keith's GSSAPI mechanism.  I believe that getting
> > his draft in shape should not take too much time at all.
>
> Stop me if I'm being completely ignorant, but I thought GSSAPI
> required the use of a null host key?

No.  The GSSAPI key exchange mechanisms support the use of any server host
key type, and do provide a mechanism to (optionally) transport and
authenticate the server host key in a secure fashion.

The GSSAPI key exchange document defines the 'null' host key type so that
hosts which have no host key can satisfy the following requirement,
included in section 5.1 of the ssh transport draft, under the description
of the 'server_host_key_algorithms' field:

         Algorithm selection depends on whether the chosen key exchange
         algorithm requires a signature or encryption capable host key.
         It MUST be possible to determine this from the public key
         algorithm name.  The first algorithm on the client's list that
         satisfies the requirements and is also supported by the server
         MUST be chosen.  If there is no such algorithm, both sides MUST
         disconnect.

Servers will list only host key algorithms which they can actually use; if
no host key is present for a particular algorithm, then that algorithm
will not be listed.  What this means is that if a host has no host keys at
all, then no algorithms will be listed, and the requirement in the
above-quoted paragraph cannot possibly be satisfied.  What the 'null' host
key algorithm does is provide a 'placeholder' to be included in the list
when no other host key algorithms are present.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

References:
- Re: GSS-API SRP mech (was Re: retrying keyex ...)
  - From: Simon Tatham

Prev by Date: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Next by Date: Re: SSH_MSG_KEXGSS_HOSTKEY (was: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt)
Previous by Thread: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Next by Thread: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Indexes:

Home | Main Index | Thread Index | Old Index