diff options
author | Simon Wilkinson <simon@sxw.org.uk> | 2014-02-09 16:09:48 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-01-14 15:07:15 +0000 |
commit | 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 (patch) | |
tree | 2f8cd5a92310d9ed3b7020366f3030fc0d1b53a4 /sshd_config.5 | |
parent | eeff4de96f5d7365750dc56912c2c62b5c28db6b (diff) |
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2016-01-04
Patch-Name: gssapi.patch
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index b18d340af..5491c89cf 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed. | |||
621 | The default is | 621 | The default is |
622 | .Dq no . | 622 | .Dq no . |
623 | Note that this option applies to protocol version 2 only. | 623 | Note that this option applies to protocol version 2 only. |
624 | .It Cm GSSAPIKeyExchange | ||
625 | Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange | ||
626 | doesn't rely on ssh keys to verify host identity. | ||
627 | The default is | ||
628 | .Dq no . | ||
629 | Note that this option applies to protocol version 2 only. | ||
624 | .It Cm GSSAPICleanupCredentials | 630 | .It Cm GSSAPICleanupCredentials |
625 | Specifies whether to automatically destroy the user's credentials cache | 631 | Specifies whether to automatically destroy the user's credentials cache |
626 | on logout. | 632 | on logout. |
@@ -642,6 +648,11 @@ machine's default store. | |||
642 | This facility is provided to assist with operation on multi homed machines. | 648 | This facility is provided to assist with operation on multi homed machines. |
643 | The default is | 649 | The default is |
644 | .Dq yes . | 650 | .Dq yes . |
651 | .It Cm GSSAPIStoreCredentialsOnRekey | ||
652 | Controls whether the user's GSSAPI credentials should be updated following a | ||
653 | successful connection rekeying. This option can be used to accepted renewed | ||
654 | or updated credentials from a compatible client. The default is | ||
655 | .Dq no . | ||
645 | .It Cm HostbasedAcceptedKeyTypes | 656 | .It Cm HostbasedAcceptedKeyTypes |
646 | Specifies the key types that will be accepted for hostbased authentication | 657 | Specifies the key types that will be accepted for hostbased authentication |
647 | as a comma-separated pattern list. | 658 | as a comma-separated pattern list. |