Bug#765655: openssh: please clarify documentations for GSSAPI's cascading credential feature

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#765655: openssh: please clarify documentations for GSSAPI's cascading credential feature
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Fri, 17 Oct 2014 04:05:22 +0200
Message-id: <[🔎] 20141017020522.13382.32135.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 765655@bugs.debian.org

Source: openssh
Version: 1:6.7p1-2
Severity: wishlist
Tags: patch

Hi Colin.

I would find the attached patch to be a useful addition
to the description of the two options regarding cascading
credentials in the manpages.

Could you please have a look at it and if you like it
merge it with your gssapi.patch?

Thanks,
Chris.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -ru a/ssh_config.5 b/ssh_config.5
--- a/ssh_config.5	2014-10-17 04:00:23.207518014 +0200
+++ b/ssh_config.5	2014-10-17 04:01:20.234916507 +0200
@@ -725,10 +725,19 @@
 If set to 
 .Dq yes
 then renewal of the client's GSSAPI credentials will force the rekeying of the
-ssh connection. With a compatible server, this can delegate the renewed 
+ssh connection. With a compatible server, this will delegate the renewed 
 credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
 The default is
 .Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
 .It Cm GSSAPITrustDns
 Set to 
 .Dq yes to indicate that the DNS is trusted to securely canonicalize
diff -ru a/sshd_config.5 b/sshd_config.5
--- a/sshd_config.5	2014-10-17 04:00:23.211517971 +0200
+++ b/sshd_config.5	2014-10-17 04:01:20.482913890 +0200
@@ -561,6 +561,10 @@
 successful connection rekeying. This option can be used to accepted renewed 
 or updated credentials from a compatible client. The default is
 .Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed

Reply to:

Follow-Ups:
- Bug#765655: openssh: please clarify documentations for GSSAPI's cascading credential feature
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#765633: openssh: use better defaults for SendEnv/AcceptEnv
Next by Date: Bug#765655: openssh: please clarify documentations for GSSAPI's cascading credential feature
Previous by thread: Bug#765633: openssh: use better defaults for SendEnv/AcceptEnv
Next by thread: Bug#765655: openssh: please clarify documentations for GSSAPI's cascading credential feature
Index(es):
- Date
- Thread