[13120] in athena10
[Debathena] #1548: Get Mac OS X Kerberos Extras to turn off
daemon@ATHENA.MIT.EDU (Debathena Trac)
Wed Jan 14 23:54:05 2015
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
From: "Debathena Trac" <debathena@mit.edu>
Cc: debathena@mit.edu
To: andersk@mit.edu
Date: Thu, 15 Jan 2015 04:53:55 -0000
Reply-To:
Message-ID: <043.fc4a0af01cdcd3fc57ca7caf33de9c36@mit.edu>
Content-Transfer-Encoding: 8bit
#1548: Get Mac OS X Kerberos Extras to turn off GSSAPIKeyExchange and
GSSAPIDelegateCredentials
----------------------------+--------------------
Reporter: andersk | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: -- | Keywords:
Fixed in version: | Upstream bug:
----------------------------+--------------------
(Not strictly Debathena related.)
Apparently Kerberos Extras still turns on `GSSAPIKeyExchange` and
`GSSAPIDelegateCredentials` by default. `GSSAPIKeyExchange` sounds nifty
but turns out to be full of DNS-related security holes (#1384), and
`GSSAPIDelegateCredentials` causes tickets to be copied to all kinds of
places they shouldn’t be (#205). These options should both be off by
default, matching upstream.
Turning off `GSSAPIKeyExchange` when it had previously been on might cause
users to get a host fingerprint prompt once. If this is unacceptable, it
could be mitigated by shipping an extra `known_hosts` file with
fingerprints for common hosts, like Debathena does: `GlobalKnownHostsFile
/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
/etc/ssh/ssh_known_hosts.debathena` (#1386).
Turning off `GSSAPIDelegateCredentials` would mean that
athena.dialup.mit.edu users will get prompted for a password unless they
pass `ssh -K`. Debathena considers this acceptable. If Kerberos Extras
does not, it could be mitigated by turning on `GSSAPIDelegateCredentials`
for athena.dialup.mit.edu (and related names) only.
--
Ticket URL: <https://athena10.mit.edu/trac/ticket/1548>
Debathena <http://debathena.mit.edu>
MIT Debathena Project
