Bug#743434: openssh-client: wildcard host precedence
Package: openssh-client
Version: 1:6.6p1-2
Severity: normal
Right now wildcarad host '*' takes precedence over all other
declarations:
host *
GSSAPIDelegateCredentials no
host foo
GSSAPIKeyExchange yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
% ssh foo klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_UID)
1) I believe it's wrong behaviour and narrow declarations should have
higher precedence.
2) Default configuration (/etc/ssh/ssh_config) sets
"GSSAPIDelegateCredentials" to "no" for "host *" so non-privileged
users has no ability to switch it on for specific host, except for
all host. And this is security issue.
--
sergio.
Reply to: