Red Hat Bugzilla – Bug 598673
GSSAPIStrictAcceptorCheck no should be the default in sshd
Last modified: 2010-06-07 05:12:16 EDT
Description of problem:
This check being on was causing ssh testing with kerberos to break. The kerberos library would prevent me from logging in if the servtab entry was not correct.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release. Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release. This request is not yet committed for
On second thought, if a less careful admin stored keys for other services in
the same keytab file that sshd consulted, then a modified client could use
tickets for one of those other services to log in through sshd.
So we mightn't want to do this if sshd isn't also verifying that the server name is "host@..." (or we can just assume that the admin's not going to put keys for non-"host" services in /etc/krb5.keytab).
I prefer test the settings which may security influence in fedora before deployment in rhel.