GSSAPI Key Exchange on multi-homed host

petesea at petesea at
Wed Oct 15 03:12:49 EST 2008

On Tue, 14 Oct 2008, Damien Miller wrote:

> On Mon, 13 Oct 2008, petesea at wrote:
>>> From a security standpoint, if the default keytab (/etc/krb5.keytab)
>> contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck
>> is set to "yes" or "no"?
>> My company uses an internally built OpenSSH package that includes the 
>> GSSAPI Key Exchange patch.  Because we have 1000s of hosts, we need to 
>> use a "standard" sshd_config file that works for the majority of hosts. 
>> Unfortunately, the current "standard" sshd_config does not set the 
>> GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore 
>> does not work correctly on the multi-homed hosts.
> OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a 
> patch in our bugzilla to add it, and I'd like to review and merge is 
> soon but it has never been in any version that we have released.

The GSSAPIStrictAcceptorCheck keyword is included as part of Simon 
Wilkinson's GSSAPI Key Exchange patch, which we use.  Sorry if that wasn't 
clearer in my first message.

More information about the openssh-unix-dev mailing list