Bug#660995: openssh-server: Better document the security implications of disabling GSSAPIStrictAcceptorCheck

Thu, 23 Feb 2012 04:28:35 -0800 

Package: openssh-server
Version: 1:5.9p1-2
Severity: wishlist

At first glance the GSSAPIStrictAcceptorCheck options seems quite useful
on multi-homed hosts, but I don't think the existing documentation makes
it clear enough that enabling it will allow clients to use tickets for
*any* service in /etc/krb5.keytab, not just any 'host' key.

This is mentioned at
<https://bugzilla.mindrot.org/show_bug.cgi?id=928#c6> and
<http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2010-12/msg00081.html>.

I have tried to improve the wording of the option description in
sshd_config(5). The current wording states:

        If “no” then the client may authenticate against any service key
        stored in the machine's default store.

I suggest changing it to:

        If “no” then the client may authenticate against *any* service
        key stored in the machine's default store. This is not limited
        to just 'host' keys, so if set to “no” then ensure you use
        dedicated keytabs for all other services on the machine in
        question.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (530, 'testing'), (520, 'unstable'), (510, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu1
ii  debconf [debconf-2.0]  1.5.41
ii  dpkg                   1.16.1.2
ii  libc6                  2.13-26
ii  libcomerr2             1.42-1
ii  libgssapi-krb5-2       1.10+dfsg~beta1-2
ii  libkrb5-3              1.10+dfsg~beta1-2
ii  libpam-modules         1.1.3-7
ii  libpam-runtime         1.1.3-7
ii  libpam0g               1.1.3-7
ii  libselinux1            2.1.0-4.1
ii  libssl1.0.0            1.0.0g-1
ii  libwrap0               7.6.q-22
ii  lsb-base               3.2-28.1
ii  openssh-client         1:5.9p1-2
ii  procps                 1:3.2.8-11
ii  zlib1g                 1:1.2.3.4.dfsg-3

Versions of packages openssh-server recommends:
ii  openssh-blacklist        0.4.1
ii  openssh-blacklist-extra  0.4.1
ii  xauth                    1:1.0.6-1

Versions of packages openssh-server suggests:
pn  molly-guard                      <none>
pn  monkeysphere                     <none>
pn  rssh                             <none>
pn  ssh-askpass-gnome [ssh-askpass]  1:5.9p1-2
pn  ufw                              <none>

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: 
http://lists.debian.org/20120223122311.151497.35341.report...@leela.office.red-redemption.com

Reply via email to