Debian openssh option review: considering splitting out GSS-API key exchange

Damien Miller djm at mindrot.org
Sat Aug 31 10:56:08 AEST 2024


Excellent - this substantially reduces the amount of pre-authentication
attack surface exposed on your users' sshd by default.

On Fri, 30 Aug 2024, Colin Watson wrote:

> On Tue, Apr 02, 2024 at 01:30:11AM +0100, Colin Watson wrote:
> >  * for Debian trixie (current testing):
> > 
> >    * add dependency-only packages called something like
> >      openssh-client-gsskex and openssh-server-gsskex, depending on their
> >      non-gsskex alternatives
> >    * add NEWS.Debian entry saying that people need to install these
> >      packages if they want to retain GSS-API key exchange support
> 
> This is now implemented in Debian unstable.  I called the packages
> openssh-client-gssapi and openssh-server-gssapi, with the intention of
> splitting out both GSS-API authentication and key exchange support
> later: that is, in trixie+1 I intend to build openssh without
> --with-kerberos5 as well as dropping the key exchange patch from the
> main packages, and you'd have to use openssh-*-gssapi for either
> function.
> 
> -- 
> Colin Watson (he/him)                              [cjwatson at debian.org]
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list