Debian openssh option review: considering splitting out GSS-API key exchange
Damien Miller
djm at mindrot.org
Sat Aug 31 10:56:08 AEST 2024
Excellent - this substantially reduces the amount of pre-authentication
attack surface exposed on your users' sshd by default.
On Fri, 30 Aug 2024, Colin Watson wrote:
> On Tue, Apr 02, 2024 at 01:30:11AM +0100, Colin Watson wrote:
> > * for Debian trixie (current testing):
> >
> > * add dependency-only packages called something like
> > openssh-client-gsskex and openssh-server-gsskex, depending on their
> > non-gsskex alternatives
> > * add NEWS.Debian entry saying that people need to install these
> > packages if they want to retain GSS-API key exchange support
>
> This is now implemented in Debian unstable. I called the packages
> openssh-client-gssapi and openssh-server-gssapi, with the intention of
> splitting out both GSS-API authentication and key exchange support
> later: that is, in trixie+1 I intend to build openssh without
> --with-kerberos5 as well as dropping the key exchange patch from the
> main packages, and you'd have to use openssh-*-gssapi for either
> function.
>
> --
> Colin Watson (he/him) [cjwatson at debian.org]
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list