On 19/12/2016 22:03, Tim Mooney wrote:
In regard to: [OpenIndiana-discuss] OpenSSH GSS-API-key-exchange,
Alexander...:
Currently OpenSSH in OpenIndiana supports GSSAPIKeyExchange option
and enables it by default
(support for authenticating server via GSSAPI - alternative to
distributing server ssh keys) -
http://www.sxw.org.uk/computing/patches/openssh.html .
This is a separate patch (but widespread one - it is supported by
Debian and RedHat).
The issue is that if DNS is misconfigured on client side, it can lead
to long delays
while connecting to ssh server.
The question is - who does really use this option on OI? Can we just
drop this patch
(or at least disable it by default) without significant impact on user
systems?
We have a full Kerberos infrastructure where I work and we've experimented
with using GSS for host key exchange, but we're not currently using it in
production.
I guess my preference would be to continue to have the patch included,
but default to
GSSAPIKeyExchange no
in the sshd config.
+1 for keeping and off by default - this is, e.g., needed
where you login against a Windows central IDM infrastructure.
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
