GSSAPI Issue
Garrett Wollman
wollman at bimajority.org
Wed Nov 24 14:19:05 EST 2010
In article <mailman.422.1290620369.20243.kerberos at mit.edu>,
Greg Hudson <ghudson at MIT.EDU> wrote:
>Note that forwarding credentials has security implications, in that it
>allows the server to do things on your behalf that it wouldn't otherwise
>be able to do. If you elect set GSSAPIDelegateCredentials yes in
>ssh_config, you may wish to restrict it to a Host section.
Right. We do it like this:
Host *.mit.edu
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
Host *.*
GSSAPIDelegateCredentials no
Host *
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
(The last section might be OBE by now.)
-GAWollman
--
Garrett A. Wollman | What intellectual phenomenon can be older, or more oft
wollman at bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers. | accepted by all practitioners? - S.J. Gould, 1993
More information about the Kerberos
mailing list