GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-08-19 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 16:33:29 +0100
commit: 06879e71614170580ffa7568ec5c009f60a9d084 (patch)
tree: 2264e498417b1968891c6f8a3c3b560b2b3a4761 /sshd_config.5
parent: baccdb349b31c47cd76fb63211f754ed33a9707e (diff)
1 files changed, 28 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6dce0c70c..033149695 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor 
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If 
+.Dq no
+then the client may authenticate against any service key stored in the 
+machine's default store. This facility is provided to assist with operation 
+on multi homed machines. 
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to 
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a 
+successful connection rekeying. This option can be used to accepted renewed 
+or updated credentials from a compatible client. The default is
+.Dq no .
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 16:33:29 +0100
commit	06879e71614170580ffa7568ec5c009f60a9d084 (patch)
tree	2264e498417b1968891c6f8a3c3b560b2b3a4761 /sshd_config.5
parent	baccdb349b31c47cd76fb63211f754ed33a9707e (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 6dce0c70c..033149695 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
564	The default is	564	The default is
565	.Dq no .	565	.Dq no .
566	Note that this option applies to protocol version 2 only.	566	Note that this option applies to protocol version 2 only.
		567	.It Cm GSSAPIKeyExchange
		568	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		569	doesn't rely on ssh keys to verify host identity.
		570	The default is
		571	.Dq no .
		572	Note that this option applies to protocol version 2 only.
567	.It Cm GSSAPICleanupCredentials	573	.It Cm GSSAPICleanupCredentials
568	Specifies whether to automatically destroy the user's credentials cache	574	Specifies whether to automatically destroy the user's credentials cache
569	on logout.	575	on logout.
570	The default is	576	The default is
571	.Dq yes .	577	.Dq yes .
572	Note that this option applies to protocol version 2 only.	578	Note that this option applies to protocol version 2 only.
		579	.It Cm GSSAPIStrictAcceptorCheck
		580	Determines whether to be strict about the identity of the GSSAPI acceptor
		581	a client authenticates against. If
		582	.Dq yes
		583	then the client must authenticate against the
		584	.Pa host
		585	service on the current hostname. If
		586	.Dq no
		587	then the client may authenticate against any service key stored in the
		588	machine's default store. This facility is provided to assist with operation
		589	on multi homed machines.
		590	The default is
		591	.Dq yes .
		592	Note that this option applies only to protocol version 2 GSSAPI connections,
		593	and setting it to
		594	.Dq no
		595	may only work with recent Kerberos GSSAPI libraries.
		596	.It Cm GSSAPIStoreCredentialsOnRekey
		597	Controls whether the user's GSSAPI credentials should be updated following a
		598	successful connection rekeying. This option can be used to accepted renewed
		599	or updated credentials from a compatible client. The default is
		600	.Dq no .
573	.It Cm HostbasedAcceptedKeyTypes	601	.It Cm HostbasedAcceptedKeyTypes
574	Specifies the key types that will be accepted for hostbased authentication	602	Specifies the key types that will be accepted for hostbased authentication
575	as a comma-separated pattern list.	603	as a comma-separated pattern list.