On Mon, 2015-02-09 at 20:15 -0800, Karl Kornel wrote: > That's what I thought, but as I understood the patch, it seems that > turning on GSSAPIKeyExchange is just working out what GSSAPI > key-exchange methods are supported, and then prepending those to the > default list of key-exchange algorithms (and then adding "null" at the > end). That way, if the server doesn't support GSSAPI key exchange, the > client is able to fall back to one of the more traditional methods. Hmm that could be the case,.. at least it's like that for the authentication methods. When GSSAPI Kex on the client, that it automatically prepends "gssapi-keyex" (not to be confused with gssapi-with-mic). But you can just manually add this to your preferred auth method list as well, e.g. I have set PreferredAuthentications gssapi-keyex,gssapi-with-mic,hostbased,publickey,keyboard-interactive,password even though I've disabled GSSAPI key exhanged. Have you tried similar for the KeyAlogs, and wheter it works out if you don't put it in the beginning? Cause then the behaviour would seem more reasonable again,.. Setting GSSAPIKeyExchange adds the respective algo names to the preference lists when enabled - even though I'd probably prefer it the patch drops the GSSAPIKeyExchange option, and just always adds the algos to the default lists (where people could still take them away if they like). > I was wondering if this would need to go upstream, but from what I > understood, bug reporters are supposed to report bugs directly to Debian. Well I guess it depends who you end up with,... I generally think it's okay to report it against Debian, but sometimes I've earned quite hostile reactions. I rather meant that you likely have more success in this being sorted out when you directly ask upstream :) > Could you please tell me where "upstream" is in this case? I did some > quick searching, but the one place I found hadn't been updated in a few > years. > > Once I know where to send the bug report, I'm happy to file it upstream! The URL Russ gave you is probably the best start... Simon (=upstream) told me that https://github.com/gss-openssh/openssh-portable is intended to become the new upstream location, but it seems to be inactive as well, and one cannot file issues there. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature