Your message dated Thu, 3 Apr 2014 01:56:00 +0100 with message-id <20140403005600.GV6397@riva.ucam.org> and subject line Re: Bug#743434: openssh-client: wildcard host precedence has caused the Debian Bug report #743434, regarding openssh-client: wildcard host precedence to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 743434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743434 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-client: wildcard host precedence
- From: mailbox@sergio.spb.ru
- Date: Wed, 02 Apr 2014 20:46:41 +0400
- Message-id: <[🔎] 20140402164641.11821.39712.reportbug@transient.oktetlabs.ru>
Package: openssh-client Version: 1:6.6p1-2 Severity: normal Right now wildcarad host '*' takes precedence over all other declarations: host * GSSAPIDelegateCredentials no host foo GSSAPIKeyExchange yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes % ssh foo klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_UID) 1) I believe it's wrong behaviour and narrow declarations should have higher precedence. 2) Default configuration (/etc/ssh/ssh_config) sets "GSSAPIDelegateCredentials" to "no" for "host *" so non-privileged users has no ability to switch it on for specific host, except for all host. And this is security issue. -- sergio.
--- End Message ---
--- Begin Message ---
- To: Russ Allbery <rra@debian.org>, 743434-close@bugs.debian.org
- Cc: mailbox@sergio.spb.ru
- Subject: Re: Bug#743434: openssh-client: wildcard host precedence
- From: Colin Watson <cjwatson@debian.org>
- Date: Thu, 3 Apr 2014 01:56:00 +0100
- Message-id: <20140403005600.GV6397@riva.ucam.org>
- In-reply-to: <[🔎] 87y4znwizx.fsf@windlord.stanford.edu>
- References: <[🔎] 20140402164641.11821.39712.reportbug@transient.oktetlabs.ru> <[🔎] 87y4znwizx.fsf@windlord.stanford.edu>
On Wed, Apr 02, 2014 at 01:53:38PM -0700, Russ Allbery wrote: > mailbox@sergio.spb.ru writes: > > Right now wildcarad host '*' takes precedence over all other > > declarations: > > > host * > > GSSAPIDelegateCredentials no > > > host foo > > GSSAPIKeyExchange yes > > GSSAPIAuthentication yes > > GSSAPIDelegateCredentials yes > > The rule, rather, is that the first match takes precedence. You want to > write this as: > > host foo > GSSAPIKeyExchange yes > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > host * > GSSAPIDelegateCredentials no > > and then it should work as you expect. See the first few paragraphs of > the ssh_config man page. Exactly. Even if it were desirable (which isn't at all clear for more complicated combinations of wildcard matches), changing this would probably be quite disruptive. > > 2) Default configuration (/etc/ssh/ssh_config) sets > > "GSSAPIDelegateCredentials" to "no" for "host *" so non-privileged > > users has no ability to switch it on for specific host, except for > > all host. And this is security issue. This is simply not true due to the above. ~/.ssh/config is parsed before /etc/ssh/ssh_config, and so you can perfectly well override the system-wide configuration file in a per-user configuration file. While I don't have a fully working GSSAPI setup right now, I've double-checked that the option parsing part of this really does work correctly (gdb a fresh build of the ssh client, break on read_config_file, "continue" then "finish" to get past the two parsing runs, then "print options.gss_deleg_creds" - it comes out correctly depending on "Host" stanzas in ~/.ssh/config). Regards, -- Colin Watson [cjwatson@debian.org]
--- End Message ---