[OmniOS-discuss] Disabling GSSAPI Key Exchange from future OpenSSH?

Michael Rasmussen mir at miras.org
Mon Dec 19 23:35:14 UTC 2016


On Mon, 19 Dec 2016 14:56:18 -0800
Alex Wilson <alex at cooperi.net> wrote:

> 
> Do you have any links to explanations as to why this is? Or further
> hints for what I should look at? I can easily understand why GSSAPI
> authentication (at least gssapi-with-mic) is needed, but I can't seem to
> find anything by Googling about gssapi-keyex and AD and why it would be
> required. I have set up SSH servers in AD environments before myself and
> only used gssapi-with-mic, but I certainly don't claim to be an expert
> in it.
> 
In my understanding (I am certainly no windows guru either :-) to be
able to request kerberos/service tickets from the KDC (AD) you need
to be able to receive and send tickets so for this to work when login in
via SSH the SSH login process must be able to fetch a TGT from the
KDC which to the best of my knowledge requires the SSH key exchange
feature. Read more here:
https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

> In your deployment, do you still generate host keys for your machines?
> From what I've read about it, the only advantage of the gssapi-keyex
> method is that you don't need host keys (i.e. /etc/ssh/ssh_host_*_key
> files) and you never see "The authenticity of host 'blah (1.2.3.4)'
> can't be established. Are you sure you want to continue connecting
> (yes/no)?" prompts. Is there something I'm missing here?
> 
No, when using SSH key exchange feature the "host key map" is
maintained automatically by the AD and globally shared between all
members of the AD realm.

-- 
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
/usr/games/fortune -es says:
If you are too busy to read, then you are too busy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://omniosce.org/ml-archive/attachments/20161220/d786c7e8/attachment.bin>


More information about the OmniOS-discuss mailing list