Kerberos (GSSAPI) Authentication
Kerberos is a security protocol that provides an alternate mechanism for both client and server authentication. Kerberos authentication relies on a trusted third party called the KDC (Key Distribution Center). The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface).
Advantages of using Kerberos authentication include:
Server Authentication using GSSAPI
By default, Secure Shell connections are established using this sequence of events:
When GSSAPI is used for server authentication, the Kerberos KDC authenticates the server during the initial key exchange. No subsequent server authentication is needed, and the server never sends a host key to the client.
Client Authentication using GSSAPI
After a user has authenticated to the KDC, that user holds Kerberos credentials that can be used by other kerberized applications. When you configure Reflection for Secure IT to support GSSAPI, the server uses Kerberos credentials to authenticate client users. This means that users who have authenticated to the KDC need no additional authentication to connect to the server.