[OpenIndiana-discuss] OpenSSH GSS-API-key-exchange

Udo Grabowski (IMK) udo.grabowski at kit.edu
Tue Dec 20 08:59:48 UTC 2016


On 19/12/2016 22:03, Tim Mooney wrote:
> In regard to: [OpenIndiana-discuss] OpenSSH GSS-API-key-exchange,
> Alexander...:
>
>> Currently OpenSSH in OpenIndiana supports GSSAPIKeyExchange option
>> and enables it by default
>> (support for authenticating server via GSSAPI - alternative to
>> distributing server ssh keys) -
>> http://www.sxw.org.uk/computing/patches/openssh.html .
>> This is a separate patch (but widespread one - it is supported by
>> Debian and RedHat).
>>
>> The issue is that if DNS is misconfigured on client side, it can lead
>> to long delays
>> while connecting to ssh server.
>>
>> The question is - who does really use this option on OI? Can we just
>> drop this patch
>> (or at least disable it by default) without significant impact on user
>> systems?
>
> We have a full Kerberos infrastructure where I work and we've experimented
> with using GSS for host key exchange, but we're not currently using it in
> production.
>
> I guess my preference would be to continue to have the patch included,
> but default to
>
> GSSAPIKeyExchange no
>
> in the sshd config.

+1 for keeping and off by default - this is, e.g., needed
where you login against a Windows central IDM infrastructure.




More information about the openindiana-discuss mailing list