GSSAPI Issue

Garrett Wollman wollman at bimajority.org
Wed Nov 24 14:19:05 EST 2010


In article <mailman.422.1290620369.20243.kerberos at mit.edu>,
Greg Hudson  <ghudson at MIT.EDU> wrote:

>Note that forwarding credentials has security implications, in that it
>allows the server to do things on your behalf that it wouldn't otherwise
>be able to do.  If you elect set GSSAPIDelegateCredentials yes in
>ssh_config, you may wish to restrict it to a Host section.

Right.  We do it like this:

Host *.mit.edu
  GSSAPIDelegateCredentials yes
  GSSAPIRenewalForcesRekey yes
Host *.*
  GSSAPIDelegateCredentials no
Host *
  GSSAPIDelegateCredentials yes
  GSSAPIRenewalForcesRekey yes

(The last section might be OBE by now.)

-GAWollman

-- 
Garrett A. Wollman    | What intellectual phenomenon can be older, or more oft
wollman at bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers.         | accepted by all practitioners? - S.J. Gould, 1993



More information about the Kerberos mailing list