2637 – GSSAPIStrictAcceptorCheck should default to 'yes'

Bug 2637 - GSSAPIStrictAcceptorCheck should default to 'yes'

Summary: GSSAPIStrictAcceptorCheck should default to 'yes'

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Kerberos support (show other bugs)
Version:	7.3p1
Hardware:	SPARC Solaris

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_7_5
	Show dependency tree / graph

Reported:	2016-11-10 01:55 AEDT by Tomas Kuthan
Modified:	2021-04-23 15:09 AEST (History)
CC List:	3 users (show)

See Also:

Attachments
GSSAPIStrictAcceptorCheck=yes by default (1.14 KB, patch) 2016-11-10 01:56 AEDT, Tomas Kuthan	dtucker: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomas Kuthan 2016-11-10 01:55:01 AEDT

When GSSAPIStrictAcceptorCheck is not explicitely specified, the default value should be yes. It is documented in  sshd_config(5) this way and it preserves original behavior.

Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange, where it make the server willing to negotiate GSS-API key exchange, although no keytab was provided.

Comment 1 Tomas Kuthan 2016-11-10 01:56:01 AEDT

Created attachment 2889 [details]
GSSAPIStrictAcceptorCheck=yes by default

Comment 2 Damien Miller 2017-01-06 14:32:28 AEDT

Comment on attachment 2889 [details]
GSSAPIStrictAcceptorCheck=yes by default

This seems reasonable to me.

Comment 3 Damien Miller 2017-01-06 14:46:03 AEDT

applied - thanks

Comment 4 Damien Miller 2021-04-23 15:09:41 AEST

closing resolved bugs as of 8.6p1 release