Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 777549@bugs.debian.org, Alfred Karl Kornel <akkornel@stanford.edu>
Subject: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
From: Russ Allbery <rra@debian.org>
Date: Mon, 09 Feb 2015 19:18:03 -0800
Message-id: <[🔎] 87r3tycv4k.fsf@hope.eyrie.org>
Reply-to: Russ Allbery <rra@debian.org>, 777549@bugs.debian.org
In-reply-to: <[🔎] 1423537758.17478.37.camel@scientia.net> (Christoph Anton Mitterer's message of "Tue, 10 Feb 2015 04:09:18 +0100")
References: <[🔎] 20150209175248.3380.39139.reportbug@drum.stanford.edu> <[🔎] 871tlyeau8.fsf@hope.eyrie.org> <[🔎] 1423537758.17478.37.camel@scientia.net>

Christoph Anton Mitterer <calestyo@scientia.net> writes:

> Anyway,... best chances are if Alfred would report this to upstream
> (which is here not OpenSSH, but the maintainers of the patchset).

That's also true, particularly since it sounded from the second message
like he has a proposed fix.  However, it's worth noting that any fix for
this wouldn't make it into jessie at this point, so you'll want to be
thinking about workarounds or planning on backporting a later version.

It does make sense to me that it should be possible to both enable GSS-API
key exchange and otherwise restrict the key exchange methods that the
server will use in the absence of GSS-API.  (Ideally, you could restrict
which specific GSS-API key exchange algorithms would be used, but I think
there aren't many to choose from anyway.)

This whole thing is unnecessarily irritating due to the OpenSSH project's
unwillingness to take the key exchange patches, forcing every distribution
to apply them separately and meaning that they aren't considered when
upstream works on things like the configuration parameter for key exchange
methods.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
  - From: Alfred Karl Kornel <akkornel@stanford.edu>
- Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
  - From: Russ Allbery <rra@debian.org>
- Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
Next by Date: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
Previous by thread: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
Next by thread: Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange
Index(es):
- Date
- Thread