Alfred Karl Kornel <akkor...@stanford.edu> writes: > I am reporting an issue that I have discovered in Debian's OpenSSH > package: It appears that setting GSSAPIKeyExchange overrides the > KexAlgorithms setting.
Yeah, I would expect this, since GSS-API key exchange *is* a key exchange mechanism. If you do GSS-API key exchange, that completely replaces the normal ssh public key negotiation, since it instead uses Kerberos to negotiate the encrypted channel with the server. Is the problem that you want to be able to control the key exchange algorithms that the server falls back on if GSS-API key exchange fails (if, for example, the client doesn't support it)? If you're happy to require all clients to do GSS-API key exchange, you can just delete all public keys for the server. They're not used at all with GSS-API, and that will prevent the server from negotiating any public key exchange mechanism as a fallback. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/871tlyeau8....@hope.eyrie.org