mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-07-01 03:22:48 -05:00
Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to Nico Williams and Viktor Dukhovni. Their comments: * Don't delegate credentials when rekeying unless there's a new TGT or the old service ticket is nearly expired. * Check for the above conditions more frequently (every two minutes by default) and rekey when we would delegate credentials. * Do not rekey with very short service ticket lifetimes; some GSSAPI libraries may lose the race to use an almost expired ticket. Adjust the timing of rekey checks to try to avoid this possibility. My further comments: The most interesting thing about this patch to me is that the use of GSS key exchange causes a switch over to a completely different model of what host keys are for. This comes from RFC 4462 section 2.1: the basic idea is that when your session is mostly bidirectionally authenticated by the GSSAPI exchanges happening in initial kex and every rekey, host keys become more or less vestigial, and their remaining purpose is to allow a rekey to happen if the requirements of the SSH protocol demand it at an awkward moment when the GSS credentials are not currently available (e.g. timed out and haven't been renewed yet). As such, there's no need for host keys to be _permanent_ or to be a reliable identifier of a particular host, and RFC 4462 allows for the possibility that they might be purely transient and only for this kind of emergency fallback purpose. Therefore, once PuTTY has done a GSS key exchange, it disconnects itself completely from the permanent host key cache functions in storage.h, and instead switches to a _transient_ host key cache stored in memory with the lifetime of just that SSH session. That cache is populated with keys received from the server as a side effect of GSS kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if later in the session we have to fall back to a non-GSS key exchange. However, in practice servers we've tested against do not send a host key in that way, so we also have a fallback method of populating the transient cache by triggering an immediate non-GSS rekey straight after userauth (reusing the code path we also use to turn on OpenSSH delayed encryption without the race condition).
This commit is contained in:
Simon Tatham
@ -1929,9 +1929,10 @@ PuTTY will prompt for a username at the time you make a connection.
|
||||
In some environments, such as the networks of large organisations
|
||||
implementing \i{single sign-on}, a more sensible default may be to use
|
||||
the name of the user logged in to the local operating system (if any);
|
||||
this is particularly likely to be useful with \i{GSSAPI} authentication
|
||||
(see \k{config-ssh-auth-gssapi}). This control allows you to change
|
||||
the default behaviour.
|
||||
this is particularly likely to be useful with \i{GSSAPI} key exchange
|
||||
and user authentication (see \k{config-ssh-auth-gssapi} and
|
||||
\k{config-ssh-kex}). This control allows you to change the default
|
||||
behaviour.
|
||||
|
||||
The current system username is displayed in the dialog as a
|
||||
convenience. It is not saved in the configuration; if a saved session
|
||||
@ -2552,6 +2553,34 @@ If the first algorithm PuTTY finds is below the \q{warn below here}
|
||||
line, you will see a warning box when you make the connection, similar
|
||||
to that for cipher selection (see \k{config-ssh-encryption}).
|
||||
|
||||
\S2{config-ssh-gssapi-kex} GSSAPI-based key exchange
|
||||
|
||||
PuTTY supports a set of key exchange methods that also incorporates
|
||||
GSSAPI-based authentication.
|
||||
|
||||
PuTTY can only perform the GSSAPI-authenticated key exchange methods
|
||||
when using Kerberos V5, and not other GSSAPI mechanisms. PuTTY will
|
||||
attempt to select these methods if it is configured to use GSSAPI
|
||||
authentication (\k{config-ssh-auth-gssapi}), and if the user running
|
||||
it has current Kerberos V5 credentials. If both of those are true,
|
||||
then PuTTY will select the GSSAPI key exchange methods in preference
|
||||
to any of the ordinary SSH key exchange methods configured in the
|
||||
preference list.
|
||||
|
||||
The advantage of doing GSSAPI authentication as part of the SSH key
|
||||
exchange is that the SSH key exchange can be repeated later in the
|
||||
session, and this allows your Kerberos V5 credentials (which are
|
||||
typically short-lived) to be automatically re-delegated to the server
|
||||
when they are refreshed on the client. (This feature is commonly
|
||||
referred to as \q{cascading credentials}.)
|
||||
|
||||
If your server doesn't support GSSAPI key exchange, it may still
|
||||
support GSSAPI in the SSH user authentication phase. This will still
|
||||
let you log in using your Kerberos credentials, but will only allow
|
||||
you to delegate the credentials that are active at the beginning of
|
||||
the session; they can't be refreshed automatically later, in a
|
||||
long-running session.
|
||||
|
||||
\S{config-ssh-kex-rekey} \ii{Repeat key exchange}
|
||||
|
||||
\cfg{winhelp-topic}{ssh.kex.repeat}
|
||||
@ -2594,6 +2623,14 @@ purposes, rekeys have much the same properties as keepalives.
|
||||
should bear that in mind when deciding whether to turn them off.)
|
||||
Note, however, the the SSH \e{server} can still initiate rekeys.
|
||||
|
||||
\b \q{Minutes between GSSAPI cache checks}, if you're using GSSAPI key
|
||||
exchange, specifies how often the GSSAPI credential cache is checked
|
||||
to see whether new tickets are available for delegation, or current
|
||||
ones are near expiration. If forwarding of GSSAPI credentials is
|
||||
enabled, PuTTY will try to rekey as necessary to keep the delegated
|
||||
credentials from expiring. Frequent checks are recommended; rekeying
|
||||
only happens when needed.
|
||||
|
||||
\b \q{Max data before rekey} specifies the amount of data (in bytes)
|
||||
that is permitted to flow in either direction before a rekey is
|
||||
initiated. If this is set to zero, PuTTY will not rekey due to
|
||||
@ -2947,7 +2984,15 @@ machine, which in principle can authenticate in many different ways
|
||||
but in practice is usually used with the \i{Kerberos} \i{single sign-on}
|
||||
protocol to implement \i{passwordless login}.
|
||||
|
||||
GSSAPI is only available in the SSH-2 protocol.
|
||||
GSSAPI authentication is only available in the SSH-2 protocol.
|
||||
|
||||
PuTTY supports two forms of GSSAPI-based authentication. In one of
|
||||
them, the SSH key exchange happens in the normal way, and GSSAPI is
|
||||
only involved in authenticating the user. In the other, GSSAPI-based
|
||||
authentication is combined with the key exchange phase, and the SSH
|
||||
authentication step has nothing left to do. If you enable GSSAPI
|
||||
authentication, PuTTY will attempt both of these methods, and use
|
||||
whichever the server supports.
|
||||
|
||||
The topmost control on the GSSAPI subpanel is the checkbox labelled
|
||||
\q{Attempt GSSAPI authentication}. If this is disabled, GSSAPI will
|
||||
|
||||
Reference in New Issue
Block a user