Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
From: Alfred Karl Kornel <akkornel@stanford.edu>
Date: Mon, 09 Feb 2015 09:52:48 -0800
Message-id: <[🔎] 20150209175248.3380.39139.reportbug@drum.stanford.edu>
Reply-to: Alfred Karl Kornel <akkornel@stanford.edu>, 777549@bugs.debian.org

Package: openssh-client
Version: 1:6.0p1-4+deb7u2
Severity: normal

Good morning!

I am reporting an issue that I have discovered in Debian's OpenSSH package: 
It appears that setting GSSAPIKeyExchange overrides the KexAlgorithms setting.

The group I am in (Authentication & Collaboration Solutions, part of Stanford
IT) relies heavily on Kerberos: It is our policy to not allow our group 
members to enter passwords in remote sites, with few exceptions.

As a new employee in our group, I have been updating our internal 
documentation that documents how we use SSH.  Part of that includes making a 
standard OpenSSH client configuration for other new employees to use.  One of 
the items in this configuration is to enable GSSAPI key exchange, and also to 
disable certain key-exchange algorithms.

The problem I found is, if I explicitly set KexAlgorithms, that essentially 
turns off GSSAPIKeyExchange.  Looking at debug logs, OpenSSH does not even try 
to use GSSAPI key exchange, which makes me think that setting KexAlgorithms 
somehow overrides whatever changes GSSAPIKeyExchange is trying to make.

I'm going to try reproducing this problem in openssh 6.7p1-3, just to make 
sure the problem still exists there; I'll report back when I'm able to 
reproduce.


-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.15
ii  libc6                  2.13-38+deb7u7
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u2
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2+deb7u14
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Reply to:

Follow-Ups:
- Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Bug#147201: Arbeitsagentur Online Angebote für 2015
Next by Date: Processed: found 626864 in openssh-client/1:6.6p1-4~bpo70+1, fixed 626864 in openssh-client/1:6.7p1-3
Previous by thread: Bug#147201: Arbeitsagentur Online Angebote für 2015
Next by thread: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
Index(es):
- Date
- Thread