Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 598673 - GSSAPIStrictAcceptorCheck no should be the default in sshd
GSSAPIStrictAcceptorCheck no should be the default in sshd
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Jan F. Chadima
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-01 16:10 EDT by Daniel Walsh
Modified: 2010-06-07 05:12 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-07 05:12:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2010-06-01 16:10:42 EDT
Description of problem:

This check being on was causing ssh testing with kerberos to break.  The kerberos library would prevent me from logging in if the servtab entry was not correct.
Comment 2 RHEL Product and Program Management 2010-06-02 14:25:56 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Nalin Dahyabhai 2010-06-02 14:29:25 EDT
On second thought, if a less careful admin stored keys for other services in
the same keytab file that sshd consulted, then a modified client could use
tickets for one of those other services to log in through sshd.

So we mightn't want to do this if sshd isn't also verifying that the server name is "host@..." (or we can just assume that the admin's not going to put keys for non-"host" services in /etc/krb5.keytab).
Comment 4 Jan F. Chadima 2010-06-07 05:12:16 EDT
I prefer test the settings which may security influence in fedora before deployment in rhel.

Note You need to log in before you can comment on or make changes to this bug.