summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2014-02-10 02:40:08 +0000
commitcd404114ded78fc51d5d9cbd458d55c9b2f67daa (patch)
treedf7a424d9301b69af906b50d550bfce6e6e2c5f3 /sshd_config.5
parent9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-02-10 Patch-Name: gssapi.patch
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.528
1 files changed, 28 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 3b21ea6e7..9aa9ebafa 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
493The default is 493The default is
494.Dq no . 494.Dq no .
495Note that this option applies to protocol version 2 only. 495Note that this option applies to protocol version 2 only.
496.It Cm GSSAPIKeyExchange
497Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
498doesn't rely on ssh keys to verify host identity.
499The default is
500.Dq no .
501Note that this option applies to protocol version 2 only.
496.It Cm GSSAPICleanupCredentials 502.It Cm GSSAPICleanupCredentials
497Specifies whether to automatically destroy the user's credentials cache 503Specifies whether to automatically destroy the user's credentials cache
498on logout. 504on logout.
499The default is 505The default is
500.Dq yes . 506.Dq yes .
501Note that this option applies to protocol version 2 only. 507Note that this option applies to protocol version 2 only.
508.It Cm GSSAPIStrictAcceptorCheck
509Determines whether to be strict about the identity of the GSSAPI acceptor
510a client authenticates against. If
511.Dq yes
512then the client must authenticate against the
513.Pa host
514service on the current hostname. If
515.Dq no
516then the client may authenticate against any service key stored in the
517machine's default store. This facility is provided to assist with operation
518on multi homed machines.
519The default is
520.Dq yes .
521Note that this option applies only to protocol version 2 GSSAPI connections,
522and setting it to
523.Dq no
524may only work with recent Kerberos GSSAPI libraries.
525.It Cm GSSAPIStoreCredentialsOnRekey
526Controls whether the user's GSSAPI credentials should be updated following a
527successful connection rekeying. This option can be used to accepted renewed
528or updated credentials from a compatible client. The default is
529.Dq no .
502.It Cm HostbasedAuthentication 530.It Cm HostbasedAuthentication
503Specifies whether rhosts or /etc/hosts.equiv authentication together 531Specifies whether rhosts or /etc/hosts.equiv authentication together
504with successful public key client host authentication is allowed 532with successful public key client host authentication is allowed