[30361] in Kerberos
GSSAPI Key Exchange on multi-homed host
daemon@ATHENA.MIT.EDU (petesea@bigfoot.com)
Wed Oct 15 01:58:11 2008
Date: Tue, 14 Oct 2008 22:56:58 -0700 (PDT)
From: petesea@bigfoot.com
To: kerberos@mit.edu
Message-id: <alpine.OSX.1.10.0810142254500.747@zippy-air>
MIME-version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>From a security standpoint, if the default keytab (/etc/krb5.keytab)
contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck
is set to "yes" or "no"?
My company uses an internally built OpenSSH package that includes the
GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use
a "standard" sshd_config file that works for the majority of hosts.
Unfortunately, the current "standard" sshd_config does not set the
GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore
does not work correctly on the multi-homed hosts.
I'd like to change our standard sshd_config so GSSAPIStrictAcceptorCheck
defaults to "no", but before doing so, I want to better understand the
implications.
As I understand the GSSAPIStrictAcceptorCheck flag, setting it to "no",
simply enables matches against more then the 1st principal in
/etc/krb5.keytab. So... if there's only one principal in the keytab, it
seems like it wouldn't matter if GSSAPIStrictAcceptorCheck is set to yes
or no. Is that correct?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
