GSSAPI Key Exchange on multi-homed host
petesea@bigfoot.com
petesea at bigfoot.com
Wed Oct 15 01:56:58 EDT 2008
>From a security standpoint, if the default keytab (/etc/krb5.keytab)
contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck
is set to "yes" or "no"?
My company uses an internally built OpenSSH package that includes the
GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use
a "standard" sshd_config file that works for the majority of hosts.
Unfortunately, the current "standard" sshd_config does not set the
GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore
does not work correctly on the multi-homed hosts.
I'd like to change our standard sshd_config so GSSAPIStrictAcceptorCheck
defaults to "no", but before doing so, I want to better understand the
implications.
As I understand the GSSAPIStrictAcceptorCheck flag, setting it to "no",
simply enables matches against more then the 1st principal in
/etc/krb5.keytab. So... if there's only one principal in the keytab, it
seems like it wouldn't matter if GSSAPIStrictAcceptorCheck is set to yes
or no. Is that correct?
More information about the Kerberos
mailing list