Christoph Anton Mitterer <cales...@scientia.org> writes: > Actually I think that most sites where I "need"/use GSSAPI... only > require the ticket for AFS, and do actually allow pubkey auth (but > right now, one doesn't have AFS access then).
In past discussions of this patch, this has not been the case. One of the advantages of GSSAPI key exchange is that you can disable public keys for all of your hosts and never manage known hosts, instead only using the system Kerberos keytabs. Since in a Kerberos environment you have to put keytabs on every host *anyway*, and that *is* the host's identity in a Kerberos environment, this reduces the number of key infrastructures you have to manage by one, which matters to some Kerberos deployments. This arguably gives you better security in that specific environment because keytabs do not rely on leap-of-faith initial authentication; the server is always properly authenticated, even on first connect. > Not sure if there's a simple out of the box way to just transfer that > but without all the other GSSAPI stuff? If you want your ticket to refresh remotely when you refresh it locally, which is often needed for Kerberos applications like AFS, you do need key exchange, since that's the mechanism that allows that to happen. (I use both GSSAPI and tcpwrappers, so Colin's proposal would mean more work for me, but given the situation, I'm willing to rework the way that I use ssh to avoid both going forward. More features are nice, but I can see the merits of simplicity here. But I no longer maintain a large infrastructure built on Kerberos, so I'm not putting as much weight on the GSSAPI support as I used to.) -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
