draft-ietf-secsh-gsskeyex-04.txt   draft-ietf-secsh-gsskeyex-05.txt 
Network Working Group J. Hutzelman Network Working Group J. Hutzelman
Internet-Draft CMU Internet-Draft CMU
Expires: January 3, 2003 J. Salowey Expires: May 4, 2003 J. Salowey
Cisco Systems Cisco Systems
J. Galbraith J. Galbraith
Van Dyke Technologies, Inc. Van Dyke Technologies, Inc.
V. Welch V. Welch
U Chicago / ANL U Chicago / ANL
July 5, 2002 November 3, 2002
GSSAPI Authentication and Key Exchange for the Secure Shell Protocol GSSAPI Authentication and Key Exchange for the Secure Shell Protocol
draft-ietf-secsh-gsskeyex-04 draft-ietf-secsh-gsskeyex-05
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 3, 2003. This Internet-Draft will expire on May 4, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
The Secure Shell protocol (SSH) is a protocol for secure remote The Secure Shell protocol (SSH) is a protocol for secure remote
login and other secure network services over an insecure network. login and other secure network services over an insecure network.
skipping to change at page 10, line 44 skipping to change at page 10, line 44
The GSSAPI authentication method is initiated when the client sends The GSSAPI authentication method is initiated when the client sends
a SSH_MSG_USERAUTH_REQUEST: a SSH_MSG_USERAUTH_REQUEST:
byte SSH_MSG_USERAUTH_REQUEST byte SSH_MSG_USERAUTH_REQUEST
string user name (in ISO-10646 UTF-8 encoding) string user name (in ISO-10646 UTF-8 encoding)
string service name (in US-ASCII) string service name (in US-ASCII)
string "gssapi" (US-ASCII method name) string "gssapi" (US-ASCII method name)
uint32 n, the number of mechanism OIDs client supports uint32 n, the number of mechanism OIDs client supports
string[n] mechanism OIDs string[n] mechanism OIDs
Mechanism OIDs are encoded according to the ASN.1 basic encoding Mechanism OIDs are encoded according to the ASN.1 distinguished
rules (BER), as described in [1] and in section 3.1 of [2]. The encoding rules (DER), as described in [1] and in section 3.1 of [2].
mechanism OIDs MUST be listed in order of preference, and the server The mechanism OIDs MUST be listed in order of preference, and the
must choose the first mechanism OID on the list that it supports. server must choose the first mechanism OID on the list that it
supports.
The client SHOULD NOT send more then one gssapi mechanism OID unless The client SHOULD NOT send more then one gssapi mechanism OID unless
there are no non-GSSAPI authentication methods between the GSSAPI there are no non-GSSAPI authentication methods between the GSSAPI
mechanisms in the order of preference, otherwise, authentication mechanisms in the order of preference, otherwise, authentication
methods may be executed out of order. methods may be executed out of order.
If the server does not support any of the specified OIDs, the server If the server does not support any of the specified OIDs, the server
MUST fail the request by sending a SSH_MSG_USERAUTH_FAILURE packet. MUST fail the request by sending a SSH_MSG_USERAUTH_FAILURE packet.
The user name may be an empty string if it can be deduced from the The user name may be an empty string if it can be deduced from the
skipping to change at page 21, line 11 skipping to change at page 21, line 11
The authors would like to thank Sam Hartman and Simon Wilkinson for The authors would like to thank Sam Hartman and Simon Wilkinson for
their invaluable assistance with this document. their invaluable assistance with this document.
10. Changes the last version 10. Changes the last version
This section lists important changes since the previous version of This section lists important changes since the previous version of
this internet-draft. This section should be removed at the time of this internet-draft. This section should be removed at the time of
publication of this document as an RFC. publication of this document as an RFC.
o Clarified the encoding of host keys in SSH_MSG_KEXGSS_HOSTKEY. o Updated the description of SSH_MSG_USERAUTH_REQUEST to require
that GSSAPI mechanism OID's be encoded per DER rather than BER.
o Fixed a wording error in the description of the exchange hash; o Updated contact information for one of the authors.
the use of the empty string as the host key is dependent on the
SSH_MSG_KEXGSS_HOSTKEY message, which is sent by the server and o Corrected errors in some of the references.
received by the client, not the other way around.
References References
[1] ISO/IEC, "Specification of Abstract Syntax Notation One [1] ISO/IEC, "ASN.1 Encoding Rules: Specification of Basic
(ASN.1)", ISO/IEC 8824, November 1998. Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T Recommendation
X.690 (1997), ISO/IEC 8825-1:1998, November 1998.
[2] Linn, J., "Generic Security Service Application Program [2] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[3] Kohl, J. and C. Neuman, "The Kerberos Network Authentication [3] Kohl, J. and C. Neuman, "The Kerberos Network Authentication
Service (V5)", RFC 1510, September 1993. Service (V5)", RFC 1510, September 1993.
[4] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC [4] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
1964, June 1996. 1964, June 1996.
skipping to change at page 22, line 52 skipping to change at page 23, line 5
[11] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S. [11] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
Lehtinen, "SSH Transport Layer Protocol", Lehtinen, "SSH Transport Layer Protocol",
draft-ietf-secsh-transport-11.txt (work in progress), November draft-ietf-secsh-transport-11.txt (work in progress), November
2001. 2001.
[12] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S. [12] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
Lehtinen, "SSH Authentication Protocol", Lehtinen, "SSH Authentication Protocol",
draft-ietf-secsh-userauth-13.txt (work in progress), November draft-ietf-secsh-userauth-13.txt (work in progress), November
2001. 2001.
[13] Yergeau, , "UTF-8, a transformation format of ISO 10646", RFC [13] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
2279, January 1998. RFC 2279, January 1998.
[14] Alvestrand, H., "Tags for the Identification of Languages", [14] Alvestrand, H., "Tags for the Identification of Languages",
RFC 1766, March 1995. RFC 1766, March 1995.
Authors' Addresses Authors' Addresses
Jeffrey Hutzelman Jeffrey Hutzelman
Carnegie Mellon University Carnegie Mellon University
5000 Forbes Ave 5000 Forbes Ave
Pittsburgh, PA 15213 Pittsburgh, PA 15213
US US
Phone: +1 412 268 7225 Phone: +1 412 268 7225
EMail: jhutz+@cmu.edu EMail: jhutz+@cmu.edu
URI: http://www.cs.cmu.edu/~jhutz/ URI: http://www.cs.cmu.edu/~jhutz/
Joseph Salowey Joseph Salowey
Cisco Systems Cisco Systems
Bldg 20 2901 Third Avenue
725 Alder Drive Seattle, WA 98121
Milpitas, CA 95035
US US
Phone: +1 408 525 6381 Phone: +1 206 256 3380
EMail: jsalowey@cisco.com EMail: jsalowey@cisco.com
Joseph Galbraith Joseph Galbraith
Van Dyke Technologies, Inc. Van Dyke Technologies, Inc.
4848 Tramway Ridge Dr. NE 4848 Tramway Ridge Dr. NE
Suite 101 Suite 101
Albuquerque, NM 87111 Albuquerque, NM 87111
US US
EMail: galb@vandyke.com EMail: galb@vandyke.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/