diff options
author | Simon Wilkinson <simon@sxw.org.uk> | 2014-02-09 16:09:48 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-10 02:40:08 +0000 |
commit | cd404114ded78fc51d5d9cbd458d55c9b2f67daa (patch) | |
tree | df7a424d9301b69af906b50d550bfce6e6e2c5f3 /sshd_config.5 | |
parent | 9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff) |
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2014-02-10
Patch-Name: gssapi.patch
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 3b21ea6e7..9aa9ebafa 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | |||
493 | The default is | 493 | The default is |
494 | .Dq no . | 494 | .Dq no . |
495 | Note that this option applies to protocol version 2 only. | 495 | Note that this option applies to protocol version 2 only. |
496 | .It Cm GSSAPIKeyExchange | ||
497 | Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange | ||
498 | doesn't rely on ssh keys to verify host identity. | ||
499 | The default is | ||
500 | .Dq no . | ||
501 | Note that this option applies to protocol version 2 only. | ||
496 | .It Cm GSSAPICleanupCredentials | 502 | .It Cm GSSAPICleanupCredentials |
497 | Specifies whether to automatically destroy the user's credentials cache | 503 | Specifies whether to automatically destroy the user's credentials cache |
498 | on logout. | 504 | on logout. |
499 | The default is | 505 | The default is |
500 | .Dq yes . | 506 | .Dq yes . |
501 | Note that this option applies to protocol version 2 only. | 507 | Note that this option applies to protocol version 2 only. |
508 | .It Cm GSSAPIStrictAcceptorCheck | ||
509 | Determines whether to be strict about the identity of the GSSAPI acceptor | ||
510 | a client authenticates against. If | ||
511 | .Dq yes | ||
512 | then the client must authenticate against the | ||
513 | .Pa host | ||
514 | service on the current hostname. If | ||
515 | .Dq no | ||
516 | then the client may authenticate against any service key stored in the | ||
517 | machine's default store. This facility is provided to assist with operation | ||
518 | on multi homed machines. | ||
519 | The default is | ||
520 | .Dq yes . | ||
521 | Note that this option applies only to protocol version 2 GSSAPI connections, | ||
522 | and setting it to | ||
523 | .Dq no | ||
524 | may only work with recent Kerberos GSSAPI libraries. | ||
525 | .It Cm GSSAPIStoreCredentialsOnRekey | ||
526 | Controls whether the user's GSSAPI credentials should be updated following a | ||
527 | successful connection rekeying. This option can be used to accepted renewed | ||
528 | or updated credentials from a compatible client. The default is | ||
529 | .Dq no . | ||
502 | .It Cm HostbasedAuthentication | 530 | .It Cm HostbasedAuthentication |
503 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 531 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
504 | with successful public key client host authentication is allowed | 532 | with successful public key client host authentication is allowed |