GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2013-11-09 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 16:16:58 +0000
commit: 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (patch)
tree: 64829a84f903d7e2d3270c43e3f80df7db2a6a10 /sshd_config.5
parent: ee196dab7c5f97f0b80c8099343a375bead92010 (diff)
1 files changed, 28 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 3abac6c10..525d9c858 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor 
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If 
+.Dq no
+then the client may authenticate against any service key stored in the 
+machine's default store. This facility is provided to assist with operation 
+on multi homed machines. 
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to 
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a 
+successful connection rekeying. This option can be used to accepted renewed 
+or updated credentials from a compatible client. The default is
+.Dq no .
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 16:16:58 +0000
commit	950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (patch)
tree	64829a84f903d7e2d3270c43e3f80df7db2a6a10 /sshd_config.5
parent	ee196dab7c5f97f0b80c8099343a375bead92010 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 3abac6c10..525d9c858 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
484	The default is	484	The default is
485	.Dq no .	485	.Dq no .
486	Note that this option applies to protocol version 2 only.	486	Note that this option applies to protocol version 2 only.
		487	.It Cm GSSAPIKeyExchange
		488	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		489	doesn't rely on ssh keys to verify host identity.
		490	The default is
		491	.Dq no .
		492	Note that this option applies to protocol version 2 only.
487	.It Cm GSSAPICleanupCredentials	493	.It Cm GSSAPICleanupCredentials
488	Specifies whether to automatically destroy the user's credentials cache	494	Specifies whether to automatically destroy the user's credentials cache
489	on logout.	495	on logout.
490	The default is	496	The default is
491	.Dq yes .	497	.Dq yes .
492	Note that this option applies to protocol version 2 only.	498	Note that this option applies to protocol version 2 only.
		499	.It Cm GSSAPIStrictAcceptorCheck
		500	Determines whether to be strict about the identity of the GSSAPI acceptor
		501	a client authenticates against. If
		502	.Dq yes
		503	then the client must authenticate against the
		504	.Pa host
		505	service on the current hostname. If
		506	.Dq no
		507	then the client may authenticate against any service key stored in the
		508	machine's default store. This facility is provided to assist with operation
		509	on multi homed machines.
		510	The default is
		511	.Dq yes .
		512	Note that this option applies only to protocol version 2 GSSAPI connections,
		513	and setting it to
		514	.Dq no
		515	may only work with recent Kerberos GSSAPI libraries.
		516	.It Cm GSSAPIStoreCredentialsOnRekey
		517	Controls whether the user's GSSAPI credentials should be updated following a
		518	successful connection rekeying. This option can be used to accepted renewed
		519	or updated credentials from a compatible client. The default is
		520	.Dq no .
493	.It Cm HostbasedAuthentication	521	.It Cm HostbasedAuthentication
494	Specifies whether rhosts or /etc/hosts.equiv authentication together	522	Specifies whether rhosts or /etc/hosts.equiv authentication together
495	with successful public key client host authentication is allowed	523	with successful public key client host authentication is allowed