Re: Debian openssh option review: considering splitting out GSS-API key exchange
Excellent - this substantially reduces the amount of pre-authentication
attack surface exposed on your users' sshd by default.
On Fri, 30 Aug 2024, Colin Watson wrote:
> On Tue, Apr 02, 2024 at 01:30:11AM +0100, Colin Watson wrote:
> >  * for Debian trixie (current testing):
> > 
> >    * add dependency-only packages called something like
> >      openssh-client-gsskex and openssh-server-gsskex, depending on their
> >      non-gsskex alternatives
> >    * add NEWS.Debian entry saying that people need to install these
> >      packages if they want to retain GSS-API key exchange support
> 
> This is now implemented in Debian unstable.  I called the packages
> openssh-client-gssapi and openssh-server-gssapi, with the intention of
> splitting out both GSS-API authentication and key exchange support
> later: that is, in trixie+1 I intend to build openssh without
> --with-kerberos5 as well as dropping the key exchange patch from the
> main packages, and you'd have to use openssh-*-gssapi for either
> function.
> 
> -- 
> Colin Watson (he/him)                              [cjwatson@debian.org]
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
Reply to: