Ticket #1548 (new defect)

Opened 6 years ago

Last modified 5 years ago

Get Mac OS X Kerberos Extras to turn off GSSAPIKeyExchange and GSSAPIDelegateCredentials

Reported by: andersk Owned by:
Priority: normal Milestone:
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:


(Not strictly Debathena related.)

Apparently Kerberos Extras still turns on GSSAPIKeyExchange and GSSAPIDelegateCredentials by default. GSSAPIKeyExchange sounds nifty but turns out to be full of DNS-related security holes (#1384), and GSSAPIDelegateCredentials causes tickets to be copied to all kinds of places they shouldn’t be (#205). These options should both be off by default, matching upstream.

Turning off GSSAPIKeyExchange when it had previously been on might cause users to get a host fingerprint prompt once. If this is unacceptable, it could be mitigated by shipping an extra known_hosts file with fingerprints for common hosts, like Debathena does: GlobalKnownHostsFile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 /etc/ssh/ssh_known_hosts.debathena (#1386).

Turning off GSSAPIDelegateCredentials would mean that athena.dialup.mit.edu users will get prompted for a password unless they pass ssh -K. Debathena considers this acceptable. If Kerberos Extras does not, it could be mitigated by turning on GSSAPIDelegateCredentials for athena.dialup.mit.edu (and related names) only.

Change History

comment:1 Changed 5 years ago by kaduk

Note that as of OS X 10.11, the system ssh is openssh 6.9, which includes a change that broke GSSAPIKeyExchange entirely (the GSSAPI patch requires prefix-matching behavior, which was removed inadvertently as part of a conversion to a table-driven lookup process).

Note: See TracTickets for help on using tickets.