Ticket #1548 (new defect)
Get Mac OS X Kerberos Extras to turn off GSSAPIKeyExchange and GSSAPIDelegateCredentials
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
(Not strictly Debathena related.)
Apparently Kerberos Extras still turns on GSSAPIKeyExchange and GSSAPIDelegateCredentials by default. GSSAPIKeyExchange sounds nifty but turns out to be full of DNS-related security holes (#1384), and GSSAPIDelegateCredentials causes tickets to be copied to all kinds of places they shouldn’t be (#205). These options should both be off by default, matching upstream.
Turning off GSSAPIKeyExchange when it had previously been on might cause users to get a host fingerprint prompt once. If this is unacceptable, it could be mitigated by shipping an extra known_hosts file with fingerprints for common hosts, like Debathena does: GlobalKnownHostsFile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 /etc/ssh/ssh_known_hosts.debathena (#1386).
Turning off GSSAPIDelegateCredentials would mean that athena.dialup.mit.edu users will get prompted for a password unless they pass ssh -K. Debathena considers this acceptable. If Kerberos Extras does not, it could be mitigated by turning on GSSAPIDelegateCredentials for athena.dialup.mit.edu (and related names) only.
Note that as of OS X 10.11, the system ssh is openssh 6.9, which includes a change that broke GSSAPIKeyExchange entirely (the GSSAPI patch requires prefix-matching behavior, which was removed inadvertently as part of a conversion to a table-driven lookup process).