Bug#660995: openssh-server: Better document the security implications of disabling GSSAPIStrictAcceptorCheck
Package: openssh-server
Version: 1:5.9p1-2
Severity: wishlist
At first glance the GSSAPIStrictAcceptorCheck options seems quite useful
on multi-homed hosts, but I don't think the existing documentation makes
it clear enough that enabling it will allow clients to use tickets for
*any* service in /etc/krb5.keytab, not just any 'host' key.
This is mentioned at
<https://bugzilla.mindrot.org/show_bug.cgi?id=928#c6> and
<http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2010-12/msg00081.html>.
I have tried to improve the wording of the option description in
sshd_config(5). The current wording states:
If “no” then the client may authenticate against any service key
stored in the machine's default store.
I suggest changing it to:
If “no” then the client may authenticate against *any* service
key stored in the machine's default store. This is not limited
to just 'host' keys, so if set to “no” then ensure you use
dedicated keytabs for all other services on the machine in
question.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (530, 'testing'), (520, 'unstable'), (510, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu1
ii debconf [debconf-2.0] 1.5.41
ii dpkg 1.16.1.2
ii libc6 2.13-26
ii libcomerr2 1.42-1
ii libgssapi-krb5-2 1.10+dfsg~beta1-2
ii libkrb5-3 1.10+dfsg~beta1-2
ii libpam-modules 1.1.3-7
ii libpam-runtime 1.1.3-7
ii libpam0g 1.1.3-7
ii libselinux1 2.1.0-4.1
ii libssl1.0.0 1.0.0g-1
ii libwrap0 7.6.q-22
ii lsb-base 3.2-28.1
ii openssh-client 1:5.9p1-2
ii procps 1:3.2.8-11
ii zlib1g 1:1.2.3.4.dfsg-3
Versions of packages openssh-server recommends:
ii openssh-blacklist 0.4.1
ii openssh-blacklist-extra 0.4.1
ii xauth 1:1.0.6-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass-gnome [ssh-askpass] 1:5.9p1-2
pn ufw <none>
-- debconf information excluded
Reply to: