Client and Server Configuration
Both the client and the server use a similar configuration data format.
The name of the GSSAPI method is gssapi. It can be specified with the
AllowedAuthentications keyword in ssh2_config and
sshd2_config configuration files.
There is a GSSAPI-related keyword GSSAPI.AllowedMethods which
specifies the actual mechanisms that are to be used through GSSAPI.
Only the Kerberos mechanism is supported on Unix.
For the Kerberos authentication to function through GSSAPI, both the
client and server will need to be configured to use Kerberos.
If GSSAPI.AllowOldMethodWhichIsInsecure is selected, GSSAPI
authentication will drop back to the old GSSAPI method (without Message
Integrity Code) if the new GSSAPI method (gssapi-with-mic)
fails. As the GSSAPI with MIC method is not yet widely supported,
GSSAPI.AllowOldMethodWhichIsInsecure is selected by default.
GSSAPI.Dlls specifies where the necessary GSSAPI libraries are
located. If this option is not specified, the libraries will be searched
for in a number of common locations. This configuration option takes a
comma-separated list as an argument. The full path to the libraries should be given.
The following is a sample GSSAPI configuration from the ssh2_config
configuration file:
AllowedAuthentications gssapi,password
...
GSSAPI.AllowedMethods kerberos
|
Note: SSH Communications Security does not provide technical
support on how to configure Kerberos. Our support only covers SSH Tectia
applications.
