Friday, 4 April 2008

GSSAPI Key Exchange for OpenSSH 5.0

It's that time again! There's been another OpenSSH release, and once again, I'm pleased to announce the availability of my GSSAPI Key Exchange patch for it.

Whilst OpenSSH contains support for GSSAPI user authentication, this still relies upon SSH host keys to authenticate the server to the user. For sites with a deployed Kerberos infrastructure this adds an additional, unnecessary, key management burden. GSSAPI key exchange allows the use of security mechanisms such as Kerberos to authenticate the server to the user, removing the need for trusted ssh host keys, and allowing the use of a single security architecture.

This patch adds support for the RFC4462 GSSAPI key exchange mechanisms to OpenSSH, along with adding some additional, generic, GSSAPI features. It implements

  • gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. (#1242)
  • Support for the null host key type (#1242)
  • Support for CCAPI credentials caches on Mac OS X (#1245)
  • Support for better error handling when an authentication exchange fails due to server misconfiguration (#1244)
  • Support for GSSAPI connections to hosts behind a round-robin load balancer (#1008)
  • Support for GSSAPI connections to multi-homed hosts, where each interface has a unique name (#928)

( bug numbers are in brackets)

This release fixes a problem where the GSSAPIStrictAcceptorCheck option was always enabled.

As usual, the code is available from

In addition, with this release I'm pleased to be able to announce an additional patch which implements cascading credential support. This allows credentials provided via key exchange to be cascaded through a set of ssh connections, so that a once a user reauthenticates on their workstation, the new credentials are available on all machines to which they are currently connected. This is controlled via the new options GSSAPIRenewalForcesReKey and GSSAPIStoreCredentialsOnRekey. A pam stack, 'sshd-rekey' may be defined to trigger renewal of additional credentials, such as X509 certificates or AFS tokens, when credentials are renewed on a particular machine. Cascading credential support is implemented using the standard ssh protocol.

The cascading credentials patch is also available from the above website. Whilst it has been extensively tested, it has received less peer-review than the rest of the GSSAPI code. Reports of both success, and failure, would be greatly appreciated! If anyone would like to provide face-to-face feedback, I will be at the AFS & Kerberos Best Practices Workshop in May.

Wednesday, 30 January 2008

HTTP Authentication for Wordpress MU

I've been experimenting recently with deploying Wordpress MU as a blogging solution. As we use cosign for all of our web authentication, we wanted wordpress MU to be able to accept the contents of the REMOTE_USER variable to authenticate users, rather than relying upon Wordpress's internal authentication solution.

Much web searching found a number of people asking similar questions, and the HTTP Authentication plugin for a single user Wordpress install. Unfortunately, this plugin didn't work "out-of-the-box" with Wordpress MU, so I ended up patching it. The modified plugin is available from

It's still tailored to my needs. There's no support for automatic blog creation, for example, although that would be trivial to add. I haven't looked at its integration with Wordpress in much detail yet, either.

To use it, you need to protect your wp-login.php and wp-signup.php files with something like:

<Files wp-login.php>
CosignProtected On
AuthType Cosign
Require valid-user

<Files wp-signup.php>
CosignProtected On
AuthType Cosign
Require group web/blog/create

And your wp-admin directory with:

CosignProtected On
AuthType Cosign
require valid-user
This also checks group membership before permitting blog creation.

To install the plugin, copy the file into your wp-content/mu-plugins directory, and configure using the HTTP Authentication tab in your Site Admin menu.

If you install this, please let me know how you get on!

We've also got an additional patch for wordpress MU which makes it use an HTTPS site for blogs, rather than HTTP - I'm happy to share that on request.