GSSAPI Key Exchange on multi-homed host

Damien Miller djm at
Tue Oct 14 14:45:58 EST 2008

On Mon, 13 Oct 2008, petesea at wrote:

> >From a security standpoint, if the default keytab (/etc/krb5.keytab) 
> contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck 
> is set to "yes" or "no"?
> My company uses an internally built OpenSSH package that includes the 
> GSSAPI Key Exchange patch.  Because we have 1000s of hosts, we need to use 
> a "standard" sshd_config file that works for the majority of hosts. 
> Unfortunately, the current "standard" sshd_config does not set the 
> GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore 
> does not work correctly on the multi-homed hosts.

OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a
patch in our bugzilla to add it, and I'd like to review and merge is soon
but it has never been in any version that we have released.


More information about the openssh-unix-dev mailing list