draft-ietf-secsh-gsskeyex-03.txt   draft-ietf-secsh-gsskeyex-04.txt 
Network Working Group J. Hutzelman Network Working Group J. Hutzelman
Internet-Draft CMU Internet-Draft CMU
Expires: July 15, 2002 J. Salowey Expires: January 3, 2003 J. Salowey
Cisco Systems Cisco Systems
J. Galbraith J. Galbraith
Van Dyke Technologies, Inc. Van Dyke Technologies, Inc.
V. Welch V. Welch
U Chicago / ANL U Chicago / ANL
January 14, 2002 July 5, 2002
GSSAPI Authentication and Key Exchange for the Secure Shell Protocol GSSAPI Authentication and Key Exchange for the Secure Shell Protocol
draft-ietf-secsh-gsskeyex-03 draft-ietf-secsh-gsskeyex-04
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 15, 2002. This Internet-Draft will expire on January 3, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
The Secure Shell protocol (SSH) is a protocol for secure remote The Secure Shell protocol (SSH) is a protocol for secure remote
login and other secure network services over an insecure network. login and other secure network services over an insecure network.
skipping to change at page 6, line 52 skipping to change at page 6, line 52
Upon receiving the SSH_MSG_KEXGSS_INIT message, the server MAY send Upon receiving the SSH_MSG_KEXGSS_INIT message, the server MAY send
the following message, prior to any other messages, to inform the the following message, prior to any other messages, to inform the
client of its host key. client of its host key.
byte SSH_MSG_KEXGSS_HOSTKEY byte SSH_MSG_KEXGSS_HOSTKEY
string server public host key and certificates (K_S) string server public host key and certificates (K_S)
Since this key exchange method does not require the host key to be Since this key exchange method does not require the host key to be
used for any encryption operations, this message is OPTIONAL. If used for any encryption operations, this message is OPTIONAL. If
the "null" host key algorithm described in Section 5 is used, this the "null" host key algorithm described in Section 5 is used, this
message MUST NOT be sent. message MUST NOT be sent. If this message is sent, the server
public host key(s) and/or certificate(s) in this message are encoded
as a single string, in the format specified by the public key type
in use (see [11], section 4.6).
Each time the server's call to GSS_Accept_sec_context returns a Each time the server's call to GSS_Accept_sec_context returns a
major_status code of GSS_S_CONTINUE_NEEDED, it sends the following major_status code of GSS_S_CONTINUE_NEEDED, it sends the following
reply to the client: reply to the client:
byte SSH_MSG_KEXGSS_CONTINUE byte SSH_MSG_KEXGSS_CONTINUE
string output_token (from GSS_Accept_sec_context) string output_token (from GSS_Accept_sec_context)
If the client receives this message after a call to If the client receives this message after a call to
GSS_Init_sec_context has returned a major_status code of GSS_Init_sec_context has returned a major_status code of
skipping to change at page 8, line 37 skipping to change at page 8, line 48
string V_S, the server's version string (CR and NL excluded) string V_S, the server's version string (CR and NL excluded)
string I_C, the payload of the client's SSH_MSG_KEXINIT string I_C, the payload of the client's SSH_MSG_KEXINIT
string I_S, the payload of the server's SSH_MSG_KEXINIT string I_S, the payload of the server's SSH_MSG_KEXINIT
string K_S, the host key string K_S, the host key
mpint e, exchange value sent by the client mpint e, exchange value sent by the client
mpint f, exchange value sent by the server mpint f, exchange value sent by the server
mpint K, the shared secret mpint K, the shared secret
This value is called the exchange hash, and it is used to This value is called the exchange hash, and it is used to
authenticate the key exchange. The exchange hash SHOULD be kept authenticate the key exchange. The exchange hash SHOULD be kept
secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been send by the secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the
client or received by the server, then the empty string is used in server or received by the client, then the empty string is used in
place of K_S when computing the exchange hash. place of K_S when computing the exchange hash.
The GSS_GetMIC call MUST be applied over H, not the original data. The GSS_GetMIC call MUST be applied over H, not the original data.
2.2 gss-group1-sha1-* 2.2 gss-group1-sha1-*
Each of these methods specifies GSSAPI authenticated Diffie-Hellman Each of these methods specifies GSSAPI authenticated Diffie-Hellman
key exchange as described in Section 2.1 with SHA-1 as HASH, and the key exchange as described in Section 2.1 with SHA-1 as HASH, and the
group defined in section 6.1 of [11]. The method name for each group defined in section 6.1 of [11]. The method name for each
method is the concatenation of the string "gss-group1-sha1-" with method is the concatenation of the string "gss-group1-sha1-" with
skipping to change at page 21, line 11 skipping to change at page 21, line 11
The authors would like to thank Sam Hartman and Simon Wilkinson for The authors would like to thank Sam Hartman and Simon Wilkinson for
their invaluable assistance with this document. their invaluable assistance with this document.
10. Changes the last version 10. Changes the last version
This section lists important changes since the previous version of This section lists important changes since the previous version of
this internet-draft. This section should be removed at the time of this internet-draft. This section should be removed at the time of
publication of this document as an RFC. publication of this document as an RFC.
o Added the SSH_MSG_KEXGSS_ERROR message to allow reporting of o Clarified the encoding of host keys in SSH_MSG_KEXGSS_HOSTKEY.
GSSAPI errors during the key exchange process.
o Added the SSH_MSG_USERAUTH_GSSAPI_ERROR message to allow
reporting of GSSAPI errors during the user authentication process.
o Clarified the handling of
GSS_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE when the client has a
final GSSAPI token to send.
o Added references to RFC2279 (UTF-8) and RFC1176 (language tags).
o Added a missing paragraph specifying that a server accepting a o Fixed a wording error in the description of the exchange hash;
GSSAPI context for key exchange must verify that message the use of the empty string as the host key is dependent on the
integrity protection is available in that context. SSH_MSG_KEXGSS_HOSTKEY message, which is sent by the server and
received by the client, not the other way around.
References References
[1] ISO/IEC, "Specification of Abstract Syntax Notation One [1] ISO/IEC, "Specification of Abstract Syntax Notation One
(ASN.1)", ISO/IEC 8824, November 1998. (ASN.1)", ISO/IEC 8824, November 1998.
[2] Linn, J., "Generic Security Service Application Program [2] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[3] Kohl, J. and C. Neuman, "The Kerberos Network Authentication [3] Kohl, J. and C. Neuman, "The Kerberos Network Authentication
skipping to change at page 23, line 39 skipping to change at page 23, line 39
Joseph Galbraith Joseph Galbraith
Van Dyke Technologies, Inc. Van Dyke Technologies, Inc.
4848 Tramway Ridge Dr. NE 4848 Tramway Ridge Dr. NE
Suite 101 Suite 101
Albuquerque, NM 87111 Albuquerque, NM 87111
US US
EMail: galb@vandyke.com EMail: galb@vandyke.com
Vol Welch Von Welch
University of Chicago & Argonne National Laboratory University of Chicago & Argonne National Laboratory
Distributed Systems Laboratory Distributed Systems Laboratory
701 E. Washington 701 E. Washington
Urbana, IL 61801 Urbana, IL 61801
US US
EMail: welch@mcs.anl.gov EMail: welch@mcs.anl.gov
Full Copyright Statement Full Copyright Statement
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/