Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Snapshot
|
Docs
|
Changes
|
Wishlist
Implement GSSAPI key exchange as an alternative to GSSAPI user authentication.
The documentation describes the advantages of using GSSAPI key exchange.
This initial implementation supports only Kerberos V5, and only the cryptographic algorithms specified in RFC 4462; it does not implement any of the methods specified in draft-ietf-curdle-gss-keyex-sha2 (not yet published as an RFC at time of writing).
All of the RFC 4462 methods use the SHA-1 hash, which is looking wobbly these days. As well as group exchange, RFC 4462 specifies (and we support) fixed groups, including Diffie-Hellman "group 1", which we're not keen on (see deprecate-dh-group1). There's no way currently to disable some methods selectively, but the whole feature can be disabled with the setting "Attempt GSSAPI key exchange".