Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
RFC 4462

Document Type RFC - Proposed Standard (May 2006; Errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state WG Document
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4462 (Proposed Standard)
Telechat date
Responsible AD Sam Hartman
Send notices to sommerfeld@sun.com, jhutz@cmu.edu
Network Working Group                                       J. Hutzelman
Request for Comments: 4462                                           CMU
Category: Standards Track                                     J. Salowey
                                                           Cisco Systems
                                                            J. Galbraith
                                             Van Dyke Technologies, Inc.
                                                                V. Welch
                                                         U Chicago / ANL
                                                                May 2006

    Generic Security Service Application Program Interface (GSS-API)
  Authentication and Key Exchange for the Secure Shell (SSH) Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The Secure Shell protocol (SSH) is a protocol for secure remote login
   and other secure network services over an insecure network.

   The Generic Security Service Application Program Interface (GSS-API)
   provides security services to callers in a mechanism-independent
   fashion.

   This memo describes methods for using the GSS-API for authentication
   and key exchange in SSH.  It defines an SSH user authentication
   method that uses a specified GSS-API mechanism to authenticate a
   user, and a family of SSH key exchange methods that use GSS-API to
   authenticate a Diffie-Hellman key exchange.

   This memo also defines a new host public key algorithm that can be
   used when no operations are needed using a host's public key, and a
   new user authentication method that allows an authorization name to
   be used in conjunction with any authentication that has already
   occurred as a side-effect of GSS-API-based key exchange.

Hutzelman, et al.           Standards Track                     [Page 1]
RFC 4462                  SSH GSS-API Methods                   May 2006

Table of Contents

   1. Introduction ....................................................3
      1.1. SSH Terminology ............................................3
      1.2. Key Words ..................................................3
   2. GSS-API-Authenticated Diffie-Hellman Key Exchange ...............3
      2.1. Generic GSS-API Key Exchange ...............................4
      2.2. Group Exchange ............................................10
      2.3. gss-group1-sha1-* .........................................11
      2.4. gss-group14-sha1-* ........................................12
      2.5. gss-gex-sha1-* ............................................12
      2.6. Other GSS-API Key Exchange Methods ........................12
   3. GSS-API User Authentication ....................................13
      3.1. GSS-API Authentication Overview ...........................13
      3.2. Initiating GSS-API Authentication .........................13
      3.3. Initial Server Response ...................................14
      3.4. GSS-API Session ...........................................15
      3.5. Binding Encryption Keys ...................................16
      3.6. Client Acknowledgement ....................................16
      3.7. Completion ................................................17
      3.8. Error Status ..............................................17
      3.9. Error Token ...............................................18
   4. Authentication Using GSS-API Key Exchange ......................19
   5. Null Host Key Algorithm ........................................20
   6. Summary of Message Numbers .....................................21
   7. GSS-API Considerations .........................................22
      7.1. Naming Conventions ........................................22
      7.2. Channel Bindings ..........................................22
      7.3. SPNEGO ....................................................23
   8. IANA Considerations ............................................24
   9. Security Considerations ........................................24
   10. Acknowledgements ..............................................25
   11. References ....................................................26
      11.1. Normative References .....................................26
      11.2. Informative References ...................................27

Hutzelman, et al.           Standards Track                     [Page 2]
Show full document text