Bug#660995: openssh-server: Better document the security implications of disabling GSSAPIStrictAcceptorCheck

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#660995: openssh-server: Better document the security implications of disabling GSSAPIStrictAcceptorCheck
From: Sam Morris <sam@robots.org.uk>
Date: Thu, 23 Feb 2012 12:23:11 +0000
Message-id: <[🔎] 20120223122311.151497.35341.reportbug@leela.office.red-redemption.com>
Reply-to: Sam Morris <sam@robots.org.uk>, 660995@bugs.debian.org

Package: openssh-server
Version: 1:5.9p1-2
Severity: wishlist

At first glance the GSSAPIStrictAcceptorCheck options seems quite useful
on multi-homed hosts, but I don't think the existing documentation makes
it clear enough that enabling it will allow clients to use tickets for
*any* service in /etc/krb5.keytab, not just any 'host' key.

This is mentioned at
<https://bugzilla.mindrot.org/show_bug.cgi?id=928#c6> and
<http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2010-12/msg00081.html>.

I have tried to improve the wording of the option description in
sshd_config(5). The current wording states:

	If “no” then the client may authenticate against any service key
	stored in the machine's default store.

I suggest changing it to:

	If “no” then the client may authenticate against *any* service
	key stored in the machine's default store. This is not limited
	to just 'host' keys, so if set to “no” then ensure you use
	dedicated keytabs for all other services on the machine in
	question.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (530, 'testing'), (520, 'unstable'), (510, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu1
ii  debconf [debconf-2.0]  1.5.41
ii  dpkg                   1.16.1.2
ii  libc6                  2.13-26
ii  libcomerr2             1.42-1
ii  libgssapi-krb5-2       1.10+dfsg~beta1-2
ii  libkrb5-3              1.10+dfsg~beta1-2
ii  libpam-modules         1.1.3-7
ii  libpam-runtime         1.1.3-7
ii  libpam0g               1.1.3-7
ii  libselinux1            2.1.0-4.1
ii  libssl1.0.0            1.0.0g-1
ii  libwrap0               7.6.q-22
ii  lsb-base               3.2-28.1
ii  openssh-client         1:5.9p1-2
ii  procps                 1:3.2.8-11
ii  zlib1g                 1:1.2.3.4.dfsg-3

Versions of packages openssh-server recommends:
ii  openssh-blacklist        0.4.1
ii  openssh-blacklist-extra  0.4.1
ii  xauth                    1:1.0.6-1

Versions of packages openssh-server suggests:
pn  molly-guard                      <none>
pn  monkeysphere                     <none>
pn  rssh                             <none>
pn  ssh-askpass-gnome [ssh-askpass]  1:5.9p1-2
pn  ufw                              <none>

-- debconf information excluded

Reply to:

Prev by Date: )())((Concerning A Relative's Estate
Next by Date: Processed (with 1 errors): Re: Bug#546743: openssh-server - init script fails on EIO
Previous by thread: )())((Concerning A Relative's Estate
Next by thread: Processed (with 1 errors): Re: Bug#546743: openssh-server - init script fails on EIO
Index(es):
- Date
- Thread