GSSAPI Key Exchange on multi-homed host
Damien Miller
djm at mindrot.org
Tue Oct 14 14:45:58 EST 2008
On Mon, 13 Oct 2008, petesea at bigfoot.com wrote:
> >From a security standpoint, if the default keytab (/etc/krb5.keytab)
> contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck
> is set to "yes" or "no"?
>
> My company uses an internally built OpenSSH package that includes the
> GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use
> a "standard" sshd_config file that works for the majority of hosts.
> Unfortunately, the current "standard" sshd_config does not set the
> GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore
> does not work correctly on the multi-homed hosts.
OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a
patch in our bugzilla to add it, and I'd like to review and merge is soon
but it has never been in any version that we have released.
-d
More information about the openssh-unix-dev
mailing list