GSSAPI Key Exchange on multi-homed host

petesea at petesea at
Tue Oct 14 11:41:23 EST 2008

>From a security standpoint, if the default keytab (/etc/krb5.keytab) 
contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck 
is set to "yes" or "no"?

My company uses an internally built OpenSSH package that includes the 
GSSAPI Key Exchange patch.  Because we have 1000s of hosts, we need to use 
a "standard" sshd_config file that works for the majority of hosts. 
Unfortunately, the current "standard" sshd_config does not set the 
GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore 
does not work correctly on the multi-homed hosts.

I'd like to change our standard sshd_config so GSSAPIStrictAcceptorCheck 
defaults to "no", but before doing so, I want to better understand the 

As I understand the GSSAPIStrictAcceptorCheck flag, setting it to "no", 
simply enables matches against more then the 1st principal in 
/etc/krb5.keytab.  So... if there's only one principal in the keytab, it 
seems like it wouldn't matter if GSSAPIStrictAcceptorCheck is set to yes 
or no.  Is that correct?

More information about the openssh-unix-dev mailing list