[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange

Alfred Karl Kornel <akkornel@stanford.edu> writes:

> I am reporting an issue that I have discovered in Debian's OpenSSH
> package:  It appears that setting GSSAPIKeyExchange overrides the
> KexAlgorithms setting.

Yeah, I would expect this, since GSS-API key exchange *is* a key exchange
mechanism.  If you do GSS-API key exchange, that completely replaces the
normal ssh public key negotiation, since it instead uses Kerberos to
negotiate the encrypted channel with the server.

Is the problem that you want to be able to control the key exchange
algorithms that the server falls back on if GSS-API key exchange fails
(if, for example, the client doesn't support it)?

If you're happy to require all clients to do GSS-API key exchange, you can
just delete all public keys for the server.  They're not used at all with
GSS-API, and that will prevent the server from negotiating any public key
exchange mechanism as a fallback.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: