Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
Package: openssh-client
Version: 1:6.0p1-4+deb7u2
Severity: normal
Good morning!
I am reporting an issue that I have discovered in Debian's OpenSSH package:
It appears that setting GSSAPIKeyExchange overrides the KexAlgorithms setting.
The group I am in (Authentication & Collaboration Solutions, part of Stanford
IT) relies heavily on Kerberos: It is our policy to not allow our group
members to enter passwords in remote sites, with few exceptions.
As a new employee in our group, I have been updating our internal
documentation that documents how we use SSH. Part of that includes making a
standard OpenSSH client configuration for other new employees to use. One of
the items in this configuration is to enable GSSAPI key exchange, and also to
disable certain key-exchange algorithms.
The problem I found is, if I explicitly set KexAlgorithms, that essentially
turns off GSSAPIKeyExchange. Looking at debug logs, OpenSSH does not even try
to use GSSAPI key exchange, which makes me think that setting KexAlgorithms
somehow overrides whatever changes GSSAPIKeyExchange is trying to make.
I'm going to try reproducing this problem in openssh 6.7p1-3, just to make
sure the problem still exists there; I'll report back when I'm able to
reproduce.
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii dpkg 1.16.15
ii libc6 2.13-38+deb7u7
ii libedit2 2.11-20080614-5
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
ii libselinux1 2.1.9-5
ii libssl1.0.0 1.0.1e-2+deb7u14
ii passwd 1:4.1.5.1-1
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1+nmu1
ii openssh-blacklist-extra 0.4.1+nmu1
ii xauth 1:1.0.7-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- Configuration Files:
/etc/ssh/ssh_config changed [not included]
-- no debconf information
Reply to: