Bug 2637 - GSSAPIStrictAcceptorCheck should default to 'yes'
Summary: GSSAPIStrictAcceptorCheck should default to 'yes'
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 7.3p1
Hardware: SPARC Solaris
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_5
  Show dependency treegraph
 
Reported: 2016-11-10 01:55 AEDT by Tomas Kuthan
Modified: 2021-04-23 15:09 AEST (History)
3 users (show)

See Also:


Attachments
GSSAPIStrictAcceptorCheck=yes by default (1.14 KB, patch)
2016-11-10 01:56 AEDT, Tomas Kuthan
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tomas Kuthan 2016-11-10 01:55:01 AEDT
When GSSAPIStrictAcceptorCheck is not explicitely specified, the default value should be yes. It is documented in  sshd_config(5) this way and it preserves original behavior.

Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange, where it make the server willing to negotiate GSS-API key exchange, although no keytab was provided.
Comment 1 Tomas Kuthan 2016-11-10 01:56:01 AEDT
Created attachment 2889 [details]
GSSAPIStrictAcceptorCheck=yes by default
Comment 2 Damien Miller 2017-01-06 14:32:28 AEDT
Comment on attachment 2889 [details]
GSSAPIStrictAcceptorCheck=yes by default

This seems reasonable to me.
Comment 3 Damien Miller 2017-01-06 14:46:03 AEDT
applied - thanks
Comment 4 Damien Miller 2021-04-23 15:09:41 AEST
closing resolved bugs as of 8.6p1 release