Bug#743434: openssh-client: wildcard host precedence

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#743434: openssh-client: wildcard host precedence
From: mailbox@sergio.spb.ru
Date: Wed, 02 Apr 2014 20:46:41 +0400
Message-id: <[🔎] 20140402164641.11821.39712.reportbug@transient.oktetlabs.ru>
Reply-to: mailbox@sergio.spb.ru, 743434@bugs.debian.org

Package: openssh-client
Version: 1:6.6p1-2
Severity: normal

Right now wildcarad host '*' takes precedence over all other
declarations:


host *
	GSSAPIDelegateCredentials no

host foo
	GSSAPIKeyExchange yes
	GSSAPIAuthentication yes
	GSSAPIDelegateCredentials yes


% ssh foo klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_UID)


1) I believe it's wrong behaviour and narrow declarations should have
   higher precedence.

2) Default configuration (/etc/ssh/ssh_config) sets
   "GSSAPIDelegateCredentials" to "no" for "host *" so non-privileged
   users has no ability to switch it on for specific host, except for
   all host. And this is security issue.


-- 
sergio.

Reply to:

Follow-Ups:
- Bug#743434: openssh-client: wildcard host precedence
  - From: Russ Allbery <rra@debian.org>
- Bug#743434: marked as done (openssh-client: wildcard host precedence)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: tagging 743242
Next by Date: Bug#743434: openssh-client: wildcard host precedence
Previous by thread: Processed: tagging 743242
Next by thread: Bug#743434: openssh-client: wildcard host precedence
Index(es):
- Date
- Thread