I'm pleased to be able to announce the availability of my GSSAPI Key
Exchange patch for OpenSSH 4.4p1.

This patch adds RFC4462 compatibility to OpenSSH, along with adding
additional GSSAPI support that is yet to make it into the main tree.

The patch implements:
*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key
exchange mechanisms. This can be enabled through the
GSSAPIKeyExchange option on both client and server
(bugzilla.mindrot.org #1242)
*) Support for the null host key type
*) Support for CCAPI caches on Mac OS X
(bugzilla.mindrot.org #1245)
*) Don't penalise the client for authentication failures caused by
server misconfiguration
(bugzilla.mindrot.org #1244)
*) Better error reporting when using GSSAPI libraries containing
multiple mechanisms
(bugzilla.mindrot.org #1220)
*) Support for GSSAPI connections to hosts using a round-robin load
balancer, through the GSSAPITrustDNS client option
(bugzilla.mindrot.org #1008)
*) Support for GSSAPI connections to multi-homed hosts with multiple
acceptor names, though the GSSAPIStrictAcceptorCheck server option
(bugzilla.mindrot.org #928)
*) Tidy GSSAPI code seperation between client and server
(bugzilla.mindrot.org #1225)

As usual the code is available from

Thanks again to everyone who has sent patches and suggestions over the



Kerberos mailing list Kerberos@mit.edu