GSSAPI Key Exchange on multi-homed host
djm at mindrot.org
Tue Oct 14 14:45:58 EST 2008
On Mon, 13 Oct 2008, petesea at bigfoot.com wrote:
> >From a security standpoint, if the default keytab (/etc/krb5.keytab)
> contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck
> is set to "yes" or "no"?
> My company uses an internally built OpenSSH package that includes the
> GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use
> a "standard" sshd_config file that works for the majority of hosts.
> Unfortunately, the current "standard" sshd_config does not set the
> GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore
> does not work correctly on the multi-homed hosts.
OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a
patch in our bugzilla to add it, and I'd like to review and merge is soon
but it has never been in any version that we have released.
More information about the openssh-unix-dev