GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Author: Simon Wilkinson <simon@sxw.org.uk> Author: Colin Watson <cjwatson@debian.org> Author: Jakub Jelen <jjelen@redhat.com> Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-06-07 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-10-18 12:04:32 +0100
commit: d1b7918f9bce6e997c7952ac795e18d09192b2a6 (patch)
tree: 897785ddb933a151a3d4b7f7d1b6542aee570b76 /sshd_config.5
parent: 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6fa421cae..eabbe9e73 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Cm yes .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Cm no .
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.
@@ -658,6 +663,31 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Cm yes .
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are accepted by GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-10-18 12:04:32 +0100
commit	d1b7918f9bce6e997c7952ac795e18d09192b2a6 (patch)
tree	897785ddb933a151a3d4b7f7d1b6542aee570b76 /sshd_config.5
parent	2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 6fa421cae..eabbe9e73 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache
644	on logout.	644	on logout.
645	The default is	645	The default is
646	.Cm yes .	646	.Cm yes .
		647	.It Cm GSSAPIKeyExchange
		648	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		649	doesn't rely on ssh keys to verify host identity.
		650	The default is
		651	.Cm no .
647	.It Cm GSSAPIStrictAcceptorCheck	652	.It Cm GSSAPIStrictAcceptorCheck
648	Determines whether to be strict about the identity of the GSSAPI acceptor	653	Determines whether to be strict about the identity of the GSSAPI acceptor
649	a client authenticates against.	654	a client authenticates against.
@@ -658,6 +663,31 @@ machine's default store.
658	This facility is provided to assist with operation on multi homed machines.	663	This facility is provided to assist with operation on multi homed machines.
659	The default is	664	The default is
660	.Cm yes .	665	.Cm yes .
		666	.It Cm GSSAPIStoreCredentialsOnRekey
		667	Controls whether the user's GSSAPI credentials should be updated following a
		668	successful connection rekeying. This option can be used to accepted renewed
		669	or updated credentials from a compatible client. The default is
		670	.Dq no .
		671	.Pp
		672	For this to work
		673	.Cm GSSAPIKeyExchange
		674	needs to be enabled in the server and also used by the client.
		675	.It Cm GSSAPIKexAlgorithms
		676	The list of key exchange algorithms that are accepted by GSSAPI
		677	key exchange. Possible values are
		678	.Bd -literal -offset 3n
		679	gss-gex-sha1-,
		680	gss-group1-sha1-,
		681	gss-group14-sha1-,
		682	gss-group14-sha256-,
		683	gss-group16-sha512-,
		684	gss-nistp256-sha256-,
		685	gss-curve25519-sha256-
		686	.Ed
		687	.Pp
		688	The default is
		689	.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
		690	This option only applies to connections using GSSAPI.
661	.It Cm HostbasedAcceptedKeyTypes	691	.It Cm HostbasedAcceptedKeyTypes
662	Specifies the key types that will be accepted for hostbased authentication	692	Specifies the key types that will be accepted for hostbased authentication
663	as a list of comma-separated patterns.	693	as a list of comma-separated patterns.