[OpenIndiana-discuss] OpenSSH GSS-API-key-exchange
Tim Mooney
Tim.Mooney at ndsu.edu
Mon Dec 19 21:03:10 UTC 2016
In regard to: [OpenIndiana-discuss] OpenSSH GSS-API-key-exchange, Alexander...:
> Currently OpenSSH in OpenIndiana supports GSSAPIKeyExchange option
> and enables it by default
> (support for authenticating server via GSSAPI - alternative to
> distributing server ssh keys) -
> http://www.sxw.org.uk/computing/patches/openssh.html .
> This is a separate patch (but widespread one - it is supported by Debian and
> RedHat).
>
> The issue is that if DNS is misconfigured on client side, it can lead to long
> delays
> while connecting to ssh server.
>
> The question is - who does really use this option on OI? Can we just drop this
> patch
> (or at least disable it by default) without significant impact on user
> systems?
We have a full Kerberos infrastructure where I work and we've experimented
with using GSS for host key exchange, but we're not currently using it in
production.
I guess my preference would be to continue to have the patch included,
but default to
GSSAPIKeyExchange no
in the sshd config.
Tim
--
Tim Mooney Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
More information about the openindiana-discuss
mailing list