GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2019-06-05 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-06-05 07:06:44 +0100
commit: 7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
tree: c964917d8395ef5605cff9513aad4458b222beae /sshd_config.5
parent: 102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index b224f2929..2baa6622b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Cm yes .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Cm no .
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.
@@ -667,6 +672,31 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Cm yes .
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are accepted by GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-06-05 07:06:44 +0100
commit	7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
tree	c964917d8395ef5605cff9513aad4458b222beae /sshd_config.5
parent	102062f825fb26a74295a1c089c00c4c4c76b68a (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index b224f2929..2baa6622b 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache
653	on logout.	653	on logout.
654	The default is	654	The default is
655	.Cm yes .	655	.Cm yes .
		656	.It Cm GSSAPIKeyExchange
		657	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		658	doesn't rely on ssh keys to verify host identity.
		659	The default is
		660	.Cm no .
656	.It Cm GSSAPIStrictAcceptorCheck	661	.It Cm GSSAPIStrictAcceptorCheck
657	Determines whether to be strict about the identity of the GSSAPI acceptor	662	Determines whether to be strict about the identity of the GSSAPI acceptor
658	a client authenticates against.	663	a client authenticates against.
@@ -667,6 +672,31 @@ machine's default store.
667	This facility is provided to assist with operation on multi homed machines.	672	This facility is provided to assist with operation on multi homed machines.
668	The default is	673	The default is
669	.Cm yes .	674	.Cm yes .
		675	.It Cm GSSAPIStoreCredentialsOnRekey
		676	Controls whether the user's GSSAPI credentials should be updated following a
		677	successful connection rekeying. This option can be used to accepted renewed
		678	or updated credentials from a compatible client. The default is
		679	.Dq no .
		680	.Pp
		681	For this to work
		682	.Cm GSSAPIKeyExchange
		683	needs to be enabled in the server and also used by the client.
		684	.It Cm GSSAPIKexAlgorithms
		685	The list of key exchange algorithms that are accepted by GSSAPI
		686	key exchange. Possible values are
		687	.Bd -literal -offset 3n
		688	gss-gex-sha1-,
		689	gss-group1-sha1-,
		690	gss-group14-sha1-,
		691	gss-group14-sha256-,
		692	gss-group16-sha512-,
		693	gss-nistp256-sha256-,
		694	gss-curve25519-sha256-
		695	.Ed
		696	.Pp
		697	The default is
		698	.Dq gss-gex-sha1-,gss-group14-sha1- .
		699	This option only applies to protocol version 2 connections using GSSAPI.
670	.It Cm HostbasedAcceptedKeyTypes	700	.It Cm HostbasedAcceptedKeyTypes
671	Specifies the key types that will be accepted for hostbased authentication	701	Specifies the key types that will be accepted for hostbased authentication
672	as a list of comma-separated patterns.	702	as a list of comma-separated patterns.