Bug 2637

Summary: GSSAPIStrictAcceptorCheck should default to 'yes'
Product: Portable OpenSSH Reporter: Tomas Kuthan <tomas.kuthan>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: minor CC: djm, dtucker, tomas.kuthan
Priority: P5    
Version: 7.3p1   
Hardware: SPARC   
OS: Solaris   
Bug Depends on:    
Bug Blocks: 2647    
Attachments:
Description Flags
GSSAPIStrictAcceptorCheck=yes by default dtucker: ok+

Description Tomas Kuthan 2016-11-10 01:55:01 AEDT 
When GSSAPIStrictAcceptorCheck is not explicitely specified, the default value should be yes. It is documented in  sshd_config(5) this way and it preserves original behavior.

Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange, where it make the server willing to negotiate GSS-API key exchange, although no keytab was provided.
Comment 1 Tomas Kuthan 2016-11-10 01:56:01 AEDT 
Created attachment 2889 [details]
GSSAPIStrictAcceptorCheck=yes by default
Comment 2 Damien Miller 2017-01-06 14:32:28 AEDT 
Comment on attachment 2889 [details]
GSSAPIStrictAcceptorCheck=yes by default

This seems reasonable to me.
Comment 3 Damien Miller 2017-01-06 14:46:03 AEDT 
applied - thanks
Comment 4 Damien Miller 2021-04-23 15:09:41 AEST 
closing resolved bugs as of 8.6p1 release