aboutsummaryrefslogtreecommitdiff
path: root/doc/draft-ietf-secsh-gsskeyex-06.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/draft-ietf-secsh-gsskeyex-06.txt')
-rw-r--r--doc/draft-ietf-secsh-gsskeyex-06.txt1509
1 files changed, 1509 insertions, 0 deletions
diff --git a/doc/draft-ietf-secsh-gsskeyex-06.txt b/doc/draft-ietf-secsh-gsskeyex-06.txt
new file mode 100644
index 0000000..da44257
--- /dev/null
+++ b/doc/draft-ietf-secsh-gsskeyex-06.txt
@@ -0,0 +1,1509 @@
+
+
+Network Working Group J. Hutzelman
+Internet-Draft CMU
+Expires: August 31, 2003 J. Salowey
+ Cisco Systems
+ J. Galbraith
+ Van Dyke Technologies, Inc.
+ V. Welch
+ U Chicago / ANL
+ March 2, 2003
+
+
+ GSSAPI Authentication and Key Exchange for the Secure Shell Protocol
+ draft-ietf-secsh-gsskeyex-06
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as
+ Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six
+ months and may be updated, replaced, or obsoleted by other documents
+ at any time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 31, 2003.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ The Secure Shell protocol (SSH) is a protocol for secure remote
+ login and other secure network services over an insecure network.
+
+ The Generic Security Service Application Program Interface (GSS-API)
+ [2] provides security services to callers in a mechanism-independent
+ fashion.
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 1]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ This memo describes methods for using the GSS-API for authentication
+ and key exchange in SSH. It defines an SSH user authentication
+ method which uses a specified GSSAPI mechanism to authenticate a
+ user, and a family of SSH key exchange methods which use GSSAPI to
+ authenticate the Diffie-Hellman exchange described in [8].
+
+ This memo also defines a new host public key algorithm which can be
+ used when no operations are needed using a host's public key, and a
+ new user authentication method which allows an authorization name to
+ be used in conjunction with any authentication which has already
+ occurred as a side-effect of key exchange.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [5].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 2]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+1. Introduction
+
+ This document describes the methods used to perform key exchange and
+ user authentication in the Secure Shell protocol using the GSSAPI.
+ To do this, it defines a family of key exchange methods, two user
+ authentication methods, and a new host key algorithm. These
+ definitions allow any GSSAPI mechanism to be used with the Secure
+ Shell protocol.
+
+ This document should be read only after reading the documents
+ describing the SSH protocol architecture [6], transport layer
+ protocol [8], and user authentication protocol [9]. This document
+ freely uses terminology and notation from the architecture document
+ without reference or further explanation.
+
+1.1 SSH terminology
+
+ The data types used in the packets are defined in the SSH
+ architecture document [6]. It is particularly important to note the
+ definition of string allows binary content.
+
+ The SSH_MSG_USERAUTH_REQUEST packet refers to a service; this
+ service name is an SSH service name, and has no relationship to
+ GSSAPI service names. Currently, the only defined service name is
+ "ssh-connection", which refers to the SSH connection protocol [7].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 3]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+2. GSSAPI Authenticated Diffie-Hellman Key Exchange
+
+ This section defines a class of key exchange methods which combine
+ the Diffie-Hellman key exchange from section 6 of [8] with mutual
+ authentication using GSSAPI.
+
+ Since the GSSAPI key exchange methods described in this section do
+ not require the use of public key signature or encryption
+ algorithms, they MAY be used with any host key algorithm, including
+ the "null" algorithm described in Section 5.
+
+2.1 Generic GSSAPI Key Exchange
+
+ The following symbols are used in this description:
+
+ o C is the client, and S is the server
+
+ o p is a large safe prime, g is a generator for a subgroup of
+ GF(p), and q is the order of the subgroup
+
+ o V_S is S's version string, and V_C is C's version string
+
+ o I_C is C's KEXINIT message, and I_S is S's KEXINIT message
+
+ 1. C generates a random number x (1 < x < q) and computes e = g^x
+ mod p.
+
+ 2. C calls GSS_Init_sec_context, using the most recent reply token
+ received from S during this exchange, if any. For this call,
+ the client MUST set the mutual_req_flag to "true" to request
+ that mutual authentication be performed. It also MUST set the
+ integ_req_flag to "true" to request that per-message integrity
+ protection be supported for this context. In addition, the
+ deleg_req_flag MAY be set to "true" to request access
+ delegation, if requested by the user. Since the key exchange
+ process authenticates only the host, the setting of the
+ anon_req_flag is immaterial to this process. If the client does
+ not support the "external-keyx" user authentication method
+ described in Section 4, or does not intend to use that method,
+ then the anon_req_flag SHOULD be set to "true". Otherwise, this
+ flag MAY be set to true if the client wishes to hide its
+ identity.
+
+ * If the resulting major_status code is GSS_S_COMPLETE and the
+ mutual_state flag is not true, then mutual authentication has
+ not been established, and the key exchange MUST fail.
+
+ * If the resulting major_status code is GSS_S_COMPLETE and the
+ integ_avail flag is not true, then per-message integrity
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 4]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ protection is not available, and the key exchange MUST fail.
+
+ * If the resulting major_status code is GSS_S_COMPLETE and both
+ the mutual_state and integ_avail flags are true, the
+ resulting output token is sent to S.
+
+ * If the resulting major_status code is GSS_S_CONTINUE_NEEDED,
+ the the output_token is sent to S, which will reply with a
+ new token to be provided to GSS_Init_sec_context.
+
+ * The client MUST also include "e" with the first message it
+ sends to the server during this process; if the server
+ receives more than one "e" or none at all, the key exchange
+ fails.
+
+ * It is an error if the call does not produce a token of
+ non-zero length to be sent to the server. In this case, the
+ key exchange MUST fail.
+
+ 3. S calls GSS_Accept_sec_context, using the token received from C.
+
+ * If the resulting major_status code is GSS_S_COMPLETE and the
+ mutual_state flag is not true, then mutual authentication has
+ not been established, and the key exchange MUST fail.
+
+ * If the resulting major_status code is GSS_S_COMPLETE and the
+ integ_avail flag is not true, then per-message integrity
+ protection is not available, and the key exchange MUST fail.
+
+ * If the resulting major_status code is GSS_S_COMPLETE and both
+ the mutual_state and integ_avail flags are true, then the
+ security context has been established, and processing
+ continues with step 4.
+
+ * If the resulting major_status code is GSS_S_CONTINUE_NEEDED,
+ then the output token is sent to C, and processing continues
+ with step 2.
+
+ * If the resulting major_status code is GSS_S_COMPLETE, but a
+ non-zero-length reply token is returned, then that token is
+ sent to the client.
+
+ 4. S generates a random number y (0 < y < q) and computes f = g^y
+ mod p. It computes K = e ^ y mod p, and H = hash(V_C || V_S ||
+ I_C || I_S || K_S || e || f || K). It then calls GSS_GetMIC to
+ obtain a GSSAPI message integrity code for H. S then sends f
+ and the MIC to C.
+
+ 5. This step is performed only if the server's final call to
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 5]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ GSS_Accept_sec_context produced a non-zero-length final reply
+ token to be sent to the client _and_ no previous call by the
+ client to GSS_Init_sec_context has resulted in a major_status of
+ GSS_S_COMPLETE. Under these conditions, the client makes an
+ additional call to GSS_Init_sec_context to process the final
+ reply token. This call is made exactly as described above.
+ However, if the resulting major_status is anything other than
+ GSS_S_COMPLETE, or a non-zero-length token is returned, it is an
+ error and the key exchange MUST fail.
+
+ 6. C computes K = f^x mod p, and H = hash(V_C || V_S || I_C || I_S
+ || K_S || e || f || K). It then calls GSS_VerifyMIC to verify
+ that the MIC sent by S matches H.
+
+ Either side MUST NOT send or accept e or f values that are not in
+ the range [1, p-1]. If this condition is violated, the key exchange
+ fails.
+
+ If any call to GSS_Init_sec_context or GSS_Accept_sec_context
+ returns a major_status other than GSS_S_COMPLETE or
+ GSS_S_CONTINUE_NEEDED, or any other GSSAPI call returns a
+ major_status other than GSS_S_COMPLETE, the key exchange fails. In
+ this case, several mechanisms are available for communicating error
+ information to the peer before terminating the connection as
+ required by [8]:
+
+ o If the key exchange fails due to any GSSAPI error on the server
+ (including errors returned by GSS_Accept_sec_context), the server
+ MAY send a message informing the client of the details of the
+ error. In this case, if an error token is also sent (see below),
+ then this message MUST be sent before the error token.
+
+ o If the key exchange fails due to a GSSAPI error returned from the
+ server's call to GSS_Accept_sec_context, and an "error token" is
+ also returned, then the server SHOULD send the error token to the
+ client to allow completion of the GSS security exchange.
+
+ o If the key exchange fails due to a GSSAPI error returned from the
+ client's call to GSS_Init_sec_context, and an "error token" is
+ also returned, then the client SHOULD send the error token to the
+ server to allow completion of the GSS security exchange.
+
+ As noted in Section 9, it may be desirable under site security
+ policy to obscure information about the precise nature of the error;
+ thus, it is RECOMMENDED that implementations provide a method to
+ suppress these messages as a matter of policy.
+
+ This is implemented with the following messages. The hash algorithm
+ for computing the exchange hash is defined by the method name, and
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 6]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ is called HASH. The group used for Diffie-Hellman key exchange and
+ the underlying GSSAPI mechanism are also defined by the method name.
+
+ After the client's first call to GSS_Init_sec_context, it sends the
+ following:
+
+ byte SSH_MSG_KEXGSS_INIT
+ string output_token (from GSS_Init_sec_context)
+ mpint e
+
+ Upon receiving the SSH_MSG_KEXGSS_INIT message, the server MAY send
+ the following message, prior to any other messages, to inform the
+ client of its host key.
+
+ byte SSH_MSG_KEXGSS_HOSTKEY
+ string server public host key and certificates (K_S)
+
+ Since this key exchange method does not require the host key to be
+ used for any encryption operations, this message is OPTIONAL. If
+ the "null" host key algorithm described in Section 5 is used, this
+ message MUST NOT be sent. If this message is sent, the server
+ public host key(s) and/or certificate(s) in this message are encoded
+ as a single string, in the format specified by the public key type
+ in use (see [8], section 4.6).
+
+ Each time the server's call to GSS_Accept_sec_context returns a
+ major_status code of GSS_S_CONTINUE_NEEDED, it sends the following
+ reply to the client:
+
+ byte SSH_MSG_KEXGSS_CONTINUE
+ string output_token (from GSS_Accept_sec_context)
+
+ If the client receives this message after a call to
+ GSS_Init_sec_context has returned a major_status code of
+ GSS_S_COMPLETE, a protocol error has occurred and the key exchange
+ MUST fail.
+
+ Each time the client receives the message described above, it makes
+ another call to GSS_Init_sec_context. It then sends the following:
+
+ byte SSH_MSG_KEXGSS_CONTINUE
+ string output_token (from GSS_Init_sec_context)
+
+ The server and client continue to trade these two messages as long
+ as the server's calls to GSS_Accept_sec_context result in
+ major_status codes of GSS_S_CONTINUE_NEEDED. When a call results in
+ a major_status code of GSS_S_COMPLETE, it sends one of two final
+ messages.
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 7]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ If the server's final call to GSS_Accept_sec_context (resulting in a
+ major_status code of GSS_S_COMPLETE) returns a non-zero-length token
+ to be sent to the client, it sends the following:
+
+ byte SSH_MSG_KEXGSS_COMPLETE
+ mpint f
+ string per_msg_token (MIC of H)
+ boolean TRUE
+ string output_token (from GSS_Accept_sec_context)
+
+ If the client receives this message after a call to
+ GSS_Init_sec_context has returned a major_status code of
+ GSS_S_COMPLETE, a protocol error has occurred and the key exchange
+ MUST fail.
+
+ If the server's final call to GSS_Accept_sec_context (resulting in a
+ major_status code of GSS_S_COMPLETE) returns a zero-length token or
+ no token at all, it sends the following:
+
+ byte SSH_MSG_KEXGSS_COMPLETE
+ mpint f
+ string per_msg_token (MIC of H)
+ boolean FALSE
+
+ If the client receives this message when no call to
+ GSS_Init_sec_context has yet resulted in a major_status code of
+ GSS_S_COMPLETE, a protocol error has occurred and the key exchange
+ MUST fail.
+
+ If either the client's call to GSS_Init_sec_context or the server's
+ call to GSS_Accept_sec_context returns an error status and produces
+ an output token (called an "error token"), then the following SHOULD
+ be sent to convey the error information to the peer:
+
+ byte SSH_MSG_KEXGSS_CONTINUE
+ string error_token
+
+ If a server sends both this message and an SSH_MSG_KEXGSS_ERROR
+ message, the SSH_MSG_KEXGSS_ERROR message MUST be sent first, to
+ allow clients to record and/or display the error information before
+ processing the error token. This is important because a client
+ processing an error token will likely disconnect without reading any
+ further messages.
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 8]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ In the event of a GSSAPI error on the server, the server MAY send
+ the following message before terminating the connection:
+
+ byte SSH_MSG_KEXGSS_ERROR
+ uint32 major_status
+ uint32 minor_status
+ string message
+ string language tag
+
+ The message text MUST be encoded in the UTF-8 encoding described in
+ [10]. Language tags are those described in [11]. Note that the
+ message text may contain multiple lines separated by carriage
+ return-line feed (CRLF) sequences. Application developers should
+ take this into account when displaying these messages.
+
+ The hash H is computed as the HASH hash of the concatenation of the
+ following:
+
+ string V_C, the client's version string (CR and NL excluded)
+ string V_S, the server's version string (CR and NL excluded)
+ string I_C, the payload of the client's SSH_MSG_KEXINIT
+ string I_S, the payload of the server's SSH_MSG_KEXINIT
+ string K_S, the host key
+ mpint e, exchange value sent by the client
+ mpint f, exchange value sent by the server
+ mpint K, the shared secret
+
+ This value is called the exchange hash, and it is used to
+ authenticate the key exchange. The exchange hash SHOULD be kept
+ secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the
+ server or received by the client, then the empty string is used in
+ place of K_S when computing the exchange hash.
+
+ The GSS_GetMIC call MUST be applied over H, not the original data.
+
+2.2 gss-group1-sha1-*
+
+ Each of these methods specifies GSSAPI authenticated Diffie-Hellman
+ key exchange as described in Section 2.1 with SHA-1 as HASH, and the
+ group defined in section 6.1 of [8]. The method name for each
+ method is the concatenation of the string "gss-group1-sha1-" with
+ the Base64 encoding of the MD5 hash [3] of the ASN.1 DER encoding
+ [1] of the underlying GSSAPI mechanism's OID. Base64 encoding is
+ described in section 6.8 of [4].
+
+ Each and every such key exchange method is implicitly registered by
+ this specification. The IESG is considered to be the owner of all
+ such key exchange methods; this does NOT imply that the IESG is
+ considered to be the owner of the underlying GSSAPI mechanism.
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 9]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+2.3 Other GSSAPI key exchange methods
+
+ Key exchange method names starting with "gss-" are reserved for key
+ exchange methods which conform to this document; in particular, for
+ those methods which use the GSSAPI authenticated Diffie-Hellman key
+ exchange algorithm described in Section 2.1, including any future
+ methods which use different groups and/or hash functions. The
+ intent is that the names for any such future methods methods be
+ defined in a similar manner to that used in Section 2.2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 10]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+3. GSSAPI User Authentication
+
+ This section describes a general-purpose user authentication method
+ based on [2]. It is intended to be run over the SSH user
+ authentication protocol [9].
+
+ The authentication method name for this protocol is "gssapi".
+
+3.1 GSSAPI Authentication Overview
+
+ GSSAPI authentication must maintain a context. Authentication
+ begins when the client sends a SSH_MSG_USERAUTH_REQUEST, which
+ specifies the mechanism OIDs the client supports.
+
+ If the server supports any of the requested mechanism OIDs, the
+ server sends a SSH_MSG_USERAUTH_GSSAPI_RESPONSE message containing
+ the mechanism OID.
+
+ After the client receives SSH_MSG_USERAUTH_GSSAPI_RESPONSE, the
+ client and server exchange SSH_MSG_USERAUTH_GSSAPI_TOKEN packets
+ until the authentication mechanism either succeeds or fails.
+
+ If at any time during the exchange, the client sends a new
+ SSH_MSG_USERAUTH_REQUEST packet, the GSSAPI context is completely
+ discarded and destroyed, and any further GSSAPI authentication MUST
+ restart from the beginning.
+
+3.2 Initiating GSSAPI authentication
+
+ The GSSAPI authentication method is initiated when the client sends
+ a SSH_MSG_USERAUTH_REQUEST:
+
+ byte SSH_MSG_USERAUTH_REQUEST
+ string user name (in ISO-10646 UTF-8 encoding)
+ string service name (in US-ASCII)
+ string "gssapi" (US-ASCII method name)
+ uint32 n, the number of mechanism OIDs client supports
+ string[n] mechanism OIDs
+
+ Mechanism OIDs are encoded according to the ASN.1 distinguished
+ encoding rules (DER), as described in [1] and in section 3.1 of [2].
+ The mechanism OIDs MUST be listed in order of preference, and the
+ server must choose the first mechanism OID on the list that it
+ supports.
+
+ The client SHOULD NOT send more then one gssapi mechanism OID unless
+ there are no non-GSSAPI authentication methods between the GSSAPI
+ mechanisms in the order of preference, otherwise, authentication
+ methods may be executed out of order.
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 11]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ If the server does not support any of the specified OIDs, the server
+ MUST fail the request by sending a SSH_MSG_USERAUTH_FAILURE packet.
+
+ The user name may be an empty string if it can be deduced from the
+ results of the gssapi authentication. If the user name is not
+ empty, and the requested user does not exist, the server MAY
+ disconnect, or MAY send a bogus list of acceptable authentications
+ but never accept any. This makes it possible for the server to
+ avoid disclosing information about which accounts exist. In any
+ case, if the user does not exist, the authentication request MUST
+ NOT be accepted.
+
+ The client MAY at any time continue with a new
+ SSH_MSG_USERAUTH_REQUEST message, in which case the server MUST
+ abandon the previous authentication attempt and continue with the
+ new one.
+
+3.3 Initial server response
+
+ The server responds to the SSH_MSG_USERAUTH_REQUEST with either a
+ SSH_MSG_USERAUTH_FAILURE if none of the mechanisms are supported, or
+ with SSH_MSG_USERAUTH_GSSAPI_RESPONSE as follows:
+
+ byte SSH_MSG_USERAUTH_GSSAPI_RESPONSE
+ string selected mechanism OID
+
+ The mechanism OID must be one of the OIDs sent by the client in the
+ SSH_MSG_USERAUTH_REQUEST packet.
+
+3.4 GSSAPI session
+
+ Once the mechanism OID has been selected, the client will then
+ initiate an exchange of one or more pairs of
+ SSH_MSG_USERAUTH_GSSAPI_TOKEN packets. These packets contain the
+ tokens produced from the 'GSS_Init_sec_context()' and
+ 'GSS_Accept_sec_context()' calls. The actual number of packets
+ exchanged is determined by the underlying GSSAPI mechanism.
+
+ byte SSH_MSG_USERAUTH_GSSAPI_TOKEN
+ string data returned from either GSS_Init_sec_context()
+ or GSS_Accept_sec_context()
+
+ If an error occurs during this exchange on server side, the server
+ can terminate the method by sending a SSH_MSG_USERAUTH_FAILURE
+ packet. If an error occurs on client side, the client can terminate
+ the method by sending a new SSH_MSG_USERAUTH_REQUEST packet.
+
+ The client MAY use the deleg_req_flag in calls to
+ GSS_Init_sec_context() to request credential delegation.
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 12]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ Additional SSH_MSG_USERAUTH_GSSAPI_TOKEN messages are sent if and
+ only if the calls to the GSSAPI routines produce send tokens of
+ non-zero length.
+
+ Any major status code other than GSS_S_COMPLETE or
+ GSS_S_CONTINUE_NEEDED SHOULD be a failure.
+
+3.5 Client acknowledgement
+
+ It is possible for the server to successfully complete the GSSAPI
+ method and the client to fail. If the server simply assumed success
+ on the part of the client and completed the authentication service,
+ it is possible that the client would fail to complete the
+ authentication method, but not be able to retry other methods
+ because the server had already moved on.
+
+ Therefore, the client MUST send the following message when it has
+ successfully called GSS_Init_sec_context() and gotten GSS_S_COMPLETE:
+
+ byte SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE
+
+ This message MUST be sent if and only if GSS_Init_sec_context()
+ returned GSS_S_COMPLETE. If a token is returned then the
+ SSH_MSG_USERAUTH_GSSAPI_TOKEN message MUST be sent before this one.
+
+ If GSS_Init_sec_context() failed, the client MUST terminate the
+ method by sending a new SSH_MSG_USERAUTH_REQUEST. or by closing the
+ connection
+
+3.6 Completion
+
+ As with all SSH authentication methods, successful completion is
+ indicated by a SSH_MSG_USERAUTH_SUCCESS if no other authentication
+ is required, or a SSH_MSG_USERAUTH_FAILURE with the partial success
+ flag set if the server requires further authentication.
+
+ This packet should be sent immediately following receipt of the the
+ SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE packet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 13]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+3.7 Error Status
+
+ In the event a GSSAPI error occurs on the server during context
+ establishment, the server MAY send the following message to inform
+ the client of the details of the error before sending a
+ SSH_MSG_USERAUTH_FAILURE message:
+
+ byte SSH_MSG_USERAUTH_GSSAPI_ERROR
+ uint32 major_status
+ uint32 minor_status
+ string message
+ string language tag
+
+ The message text MUST be encoded in the UTF-8 encoding described in
+ [10]. Language tags are those described in [11]. Note that the
+ message text may contain multiple lines separated by carriage
+ return-line feed (CRLF) sequences. Application developers should
+ take this into account when displaying these messages.
+
+ Clients receiving this message MAY log the error details and/or
+ report them to the user. Any server sending this message MUST
+ ignore any SSH_MSG_UNIMPLEMENTED sent by the client in response.
+
+3.8 Error Token
+
+ In the event that, during context establishment, a client's call to
+ GSS_Init_sec_context or a server's call to GSS_Accept_sec_context
+ returns a token along with an error status, the resulting "error
+ token" SHOULD be sent to the peer using the following message:
+
+ byte SSH_MSG_USERAUTH_GSSAPI_ERRTOK
+ string error token
+
+ This message implies that the authentication is about to fail, and
+ is defined to allow the error token to be communicated without
+ losing synchronization.
+
+ When a server sends this message, it MUST be followed by a
+ SSH_MSG_USERAUTH_FAILURE message, which is to be interpreted as
+ applying to the same authentication request. A client receiving
+ this message SHOULD wait for the following SSH_MSG_USERAUTH_FAILURE
+ message before beginning another authentication attempt.
+
+ When a client sends this message, it MUST be followed by a new
+ authentication request or by terminating the connection. A server
+ receiving this message MUST NOT send a SSH_MSG_USERAUTH_FAILURE in
+ reply, since such a message might otherwise be interpreted by a
+ client as a response to the following authentication sequence.
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 14]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ Any server sending this message MUST ignore any
+ SSH_MSG_UNIMPLEMENTED sent by the client in response. If a server
+ sends both this message and an SSH_MSG_USERAUTH_GSSAPI_ERROR
+ message, the SSH_MSG_USERAUTH_GSSAPI_ERROR message MUST be sent
+ first, to allow the client to store and/or display the error status
+ before processing the error token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 15]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+4. External Key Exchange User Authentication
+
+ This section describes a user authentication method building on the
+ framework described in [9]. This method relies upon the key
+ exchange to authenticate both the client and the server. If the key
+ exchange did not successfully perform these functions then the
+ server MUST always respond to this request with
+ SSH_MSG_USERAUTH_FAILURE with partial success set to false.
+
+ The new mechanism is defined as follows:
+
+ byte SSH_MSG_USERAUTH_REQUEST
+ string user name (in ISO-10646 UTF-8 encoding)
+ string service name (in US-ASCII)
+ string "external-keyx" (US-ASCII method name)
+
+ If the authentication performed as part of key exchange can be used
+ to authorize login as the requested user, this method is successful,
+ and the server responds with SSH_MSG_USERAUTH_SUCCESS if no more
+ authentications are needed, or with SSH_MSG_USERAUTH_FAILURE with
+ partial success set to true if more authentications are needed.
+
+ If the authentication performed as part of key-exchange cannot be
+ used to authorize login as the requested user, then
+ SSH_MSG_USERAUTH_FAILURE is returned with partial success set to
+ false.
+
+ If the user name is not empty, and the requested user does not
+ exist, the server MAY disconnect, or MAY send a bogus list of
+ acceptable authentications but never accept any. This makes it
+ possible for the server to avoid disclosing information about which
+ accounts exist. In any case, if the user does not exist, the
+ authentication request MUST NOT be accepted.
+
+ Any implementation supporting at least one key exchange method which
+ conforms to section 1 of this document SHOULD also support the
+ "external-keyx" user authentication method, in order to allow user
+ authentication to be performed at the same time as key exchange,
+ thereby reducing the number of round trips needed for connection
+ setup.
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 16]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+5. Null Host Key Algorithm
+
+ The "null" host key algorithm has no associated host key material,
+ and provides neither signature nor encryption algorithms. Thus, it
+ can be used only with key exchange methods that do not require any
+ public-key operations and do not require the use of host public key
+ material. The key exchange methods described in section 1 of this
+ document are examples of such methods.
+
+ This algorithm is used when, as a matter of configuration, the host
+ does not have or does not wish to use a public key. For example, it
+ can be used when the administrator has decided as a matter of policy
+ to require that all key exchanges be authenticated using Kerberos
+ [12], and thus the only permitted key exchange method is the
+ GSSAPI-authenticated Diffie-Hellman exchange described above, with
+ Kerberos V5 as the underlying GSSAPI mechanism. In such a
+ configuration, the server implementation supports the "ssh-dss" key
+ algorithm (as required by [8]), but could be prohibited by
+ configuration from using it. In this situation, the server needs
+ some key exchange algorithm to advertise; the "null" algorithm fills
+ this purpose.
+
+ Note that the use of the "null" algorithm in this way means that the
+ server will not be able to interoperate with clients which do not
+ support this algorithm. This is not a significant problem, since in
+ the configuration described, it will also be unable to interoperate
+ with implementations that do not support the GSSAPI-authenticated
+ key exchange and Kerberos.
+
+ Any implementation supporting at least one key exchange method which
+ conforms to section 1 of this document MUST also support the "null"
+ host key algorithm. Servers MUST NOT advertise the "null" host key
+ algorithm unless it is the only algorithm advertised.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 17]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+6. Summary of Message Numbers
+
+ The following message numbers have been defined for use with
+ GSSAPI-based key exchange methods:
+
+ #define SSH_MSG_KEXGSS_INIT 30
+ #define SSH_MSG_KEXGSS_CONTINUE 31
+ #define SSH_MSG_KEXGSS_COMPLETE 32
+ #define SSH_MSG_KEXGSS_HOSTKEY 33
+ #define SSH_MSG_KEXGSS_ERROR 34
+
+ The numbers 30-49 are specific to key exchange and may be redefined
+ by other kex methods.
+
+ The following message numbers have been defined for use with the
+ 'gssapi' user authentication method:
+
+ #define SSH_MSG_USERAUTH_GSSAPI_RESPONSE 60
+ #define SSH_MSG_USERAUTH_GSSAPI_TOKEN 61
+ #define SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63
+ #define SSH_MSG_USERAUTH_GSSAPI_ERROR 64
+
+ The numbers 60-79 are specific to user authentication and may be
+ redefined by other user auth methods. Note that in the method
+ described in this document, message number 62 is unused.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 18]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+7. GSSAPI Considerations
+
+7.1 Naming Conventions
+
+ In order to establish a GSSAPI security context, the SSH client
+ needs to determine the appropriate targ_name to use in identifying
+ the server when calling GSS_Init_sec_context. For this purpose, the
+ GSSAPI mechanism-independent name form for host-based services is
+ used, as described in section 4.1 of [2].
+
+ In particular, the targ_name to pass to GSS_Init_sec_context is
+ obtained by calling GSS_Import_name with an input_name_type of
+ GSS_C_NT_HOSTBASED_SERVICE, and an input_name_string consisting of
+ the string "host@" concatenated with the hostname of the SSH server.
+
+7.2 Channel Bindings
+
+ This document recommends that channel bindings SHOULD NOT be
+ specified in the calls during context establishment. This document
+ does not specify any standard data to be used as channel bindings
+ and the use of network addresses as channel bindings may break SSH
+ in environments where it is most useful.
+
+7.3 SPNEGO
+
+ The use of the Simple and Protected GSS-API Negotiation Mechanism
+ [14] in conjunction with the authentication and key exchange methods
+ described in this document is both unnecessary and undesirable. As
+ a result, mechanisms conforming to this document MUST NOT use SPNEGO
+ as the underlying GSSAPI mechanism.
+
+ Since SSH performs its own negotiation of authentication and key
+ exchange methods, the negotiation capability of SPNEGO alone does
+ not provide any added benefit. In fact, as described below, it has
+ the potential to result in the use of a weaker method than desired.
+
+ Normally, SPNEGO provides the added benefit of protecting the GSSAPI
+ mechanism negotiation. It does this by having the server compute a
+ MIC of the list of mechanisms proposed by the client, and then
+ checking that value at the client. In the case of key exchange,
+ this protection is not needed because the key exchange methods
+ described here already perform an equivalent operation; namely, they
+ generate a MIC of the SSH exchange hash, which is a hash of several
+ items including the lists of key exchange mechanisms supported by
+ both sides. In the case of user authentication, the protection is
+ not needed because the negotiation occurs over a secure channel, and
+ the host's identity has already been proved to the user.
+
+ The use of SPNEGO combined with GSSAPI mechanisms used without
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 19]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+ SPNEGO can lead to interoperability problems. For example, a client
+ which supports key exchange using the Kerberos V5 GSSAPI mechanism
+ [13] only underneath SPNEGO will not interoperate with a server
+ which supports key exchange only using the Kerberos V5 GSSAPI
+ mechanism directly. As a result, allowing GSSAPI mechanisms to be
+ used both with and without SPNEGO is undesirable.
+
+ If a client's policy is to first prefer GSSAPI-based key exchange
+ method X, then non-GSSAPI method Y, then GSSAPI-based method Z, and
+ if a server supports mechanisms Y and Z but not X, then an attempt
+ to use SPNEGO to negotiate a GSSAPI mechanism might result in the
+ use of method Z when method Y would have been preferable. As a
+ result, the use of SPNEGO could result in the subversion of the
+ negotiation algorithm for key exchange methods as described in
+ section 5.1 of [8] and/or the negotiation algorithm for user
+ authentication methods as described in [9].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 20]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+8. IANA Considerations
+
+ Consistent with section 7 of [6], the IANA is directed to make the
+ following registrations:
+
+ The family of SSH key exchange method names beginning with
+ "gss-group1-sha1-" and not containing the at-sign ('@'), to name
+ the key exchange methods defined in Section 2.2.
+
+ All other SSH key exchange method names beginning with "gss-" and
+ not containing the at-sign ('@'), to be reserved for future key
+ exchange methods defined in conformance with this document, as
+ noted in Section 2.3.
+
+ The SSH host public key algorithm name "null", to name the NULL
+ host key algorithm defined in Section 5.
+
+ The SSH user authentication method name "gssapi", to name the
+ GSSAPI user authentication method defined in Section 3.
+
+ The SSH user authentication method name "external-keyx", to name
+ the "external key-exchange" user authentication method defined in
+ Section 4.
+
+ This document creates no new registries.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 21]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+9. Security Considerations
+
+ This document describes authentication and key-exchange protocols.
+ As such, security considerations are discussed throughout.
+
+ This protocol depends on the SSH protocol itself, the GSSAPI, any
+ underlying GSSAPI mechanisms which are used, and any protocols on
+ which such mechanisms might depend. Each of these components plays
+ a part in the security of the resulting connection, and each will
+ have its own security considerations.
+
+ The key exchange method described in section 1 of this document
+ depends on the underlying GSSAPI mechanism to provide both mutual
+ authentication and per-message integrity services. If either of
+ these features is not supported by a particular GSSAPI mechanism, or
+ by a particular implementation of a GSSAPI mechanism, then the key
+ exchange is not secure and MUST fail.
+
+ In order for the "external-keyx" user authentication method to be
+ used, it MUST have access to user authentication information
+ obtained as a side-effect of the key exchange. If this information
+ is unavailable, the authentication MUST fail.
+
+ Revealing information about the reason for an authentication failure
+ may be considered by some sites to be an unacceptable security risk
+ for a production environment. However, having that information
+ available can be invaluable for debugging purposes. Thus, it is
+ RECOMMENDED that implementations provide a means for controlling, as
+ a matter of policy, whether to send SSH_MSG_USERAUTH_GSSAPI_ERROR,
+ SSH_MSG_USERAUTH_GSSAPI_ERRTOK, and SSH_MSG_KEXGSS_ERROR messages,
+ and SSH_MSG_KEXGEE_CONTINUE messages containing a GSSAPI error token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 22]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+10. Acknowledgements
+
+ The authors would like to thank Sam Hartman, Simon Wilkinson, and
+ Nicolas Williams for their invaluable assistance with this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 23]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+11. Changes the last version
+
+ This section lists important changes since the previous version of
+ this internet-draft. This section should be removed at the time of
+ publication of this document as an RFC.
+
+ o Improved the description of error handling during key exchange.
+
+ o Specified that SSH_MSG_GSSKEX_CONTINUE SHOULD be used to send
+ error tokens in the event of a failure of GSS_Init_sec_context or
+ GSS_Accept_sec_context during key exchange.
+
+ o Made SSH_MSG_GSSKEX_ERROR be OPTIONAL instead of RECOMMENDED.
+
+ o Specified a new SSH_MSG_USERAUTH_GSSAPI_ERRTOK message which
+ SHOULD be used to send error tokens in the event of a failure of
+ GSS_Init_sec_context or GSS_Accept_sec_context during user
+ authentication.
+
+ o Made SSH_MSG_USERAUTH_GSSAPI_ERROR be OPTIONAL instead of
+ RECOMMENDED.
+
+ o Added IANA considerations section.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 24]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+Normative References
+
+ [1] ISO/IEC, "ASN.1 Encoding Rules: Specification of Basic
+ Encoding Rules (BER), Canonical Encoding Rules (CER) and
+ Distinguished Encoding Rules (DER)", ITU-T Recommendation
+ X.690 (1997), ISO/IEC 8825-1:1998, November 1998.
+
+ [2] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [3] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+ April 1992.
+
+ [4] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
+ Extensions (MIME) Part One: Format of Internet Message
+ Bodies", RFC 2045, November 1996.
+
+ [5] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", RFC 2119, BCP 14, March 1997.
+
+ [6] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
+ Lehtinen, "SSH Protocol Architecture",
+ draft-ietf-secsh-architecture-11.txt (work in progress),
+ November 2001.
+
+ [7] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
+ Lehtinen, "SSH Connection Protocol",
+ draft-ietf-secsh-connect-14.txt (work in progress), November
+ 2001.
+
+ [8] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
+ Lehtinen, "SSH Transport Layer Protocol",
+ draft-ietf-secsh-transport-11.txt (work in progress), November
+ 2001.
+
+ [9] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
+ Lehtinen, "SSH Authentication Protocol",
+ draft-ietf-secsh-userauth-13.txt (work in progress), November
+ 2001.
+
+ [10] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
+ RFC 2279, January 1998.
+
+ [11] Alvestrand, H., "Tags for the Identification of Languages",
+ RFC 1766, March 1995.
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 25]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+Non-normative References
+
+ [12] Kohl, J. and C. Neuman, "The Kerberos Network Authentication
+ Service (V5)", RFC 1510, September 1993.
+
+ [13] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
+ 1964, June 1996.
+
+ [14] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
+ Negotiation Mechanism", RFC 2478, December 1998.
+
+
+Authors' Addresses
+
+ Jeffrey Hutzelman
+ Carnegie Mellon University
+ 5000 Forbes Ave
+ Pittsburgh, PA 15213
+ US
+
+ Phone: +1 412 268 7225
+ EMail: jhutz+@cmu.edu
+ URI: http://www.cs.cmu.edu/~jhutz/
+
+
+ Joseph Salowey
+ Cisco Systems
+ 2901 Third Avenue
+ Seattle, WA 98121
+ US
+
+ Phone: +1 206 256 3380
+ EMail: jsalowey@cisco.com
+
+
+ Joseph Galbraith
+ Van Dyke Technologies, Inc.
+ 4848 Tramway Ridge Dr. NE
+ Suite 101
+ Albuquerque, NM 87111
+ US
+
+ EMail: galb@vandyke.com
+
+
+ Von Welch
+ University of Chicago & Argonne National Laboratory
+ Distributed Systems Laboratory
+ 701 E. Washington
+ Urbana, IL 61801
+ US
+
+ EMail: welch@mcs.anl.gov
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 26]
+
+Internet-Draft SSH GSSAPI Methods March 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph
+ are included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hutzelman, et. al. Expires August 31, 2003 [Page 27]
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-20 06:12:25 +0000