id summary reporter owner description type status priority milestone component resolution keywords cc fix_version see_also 1548 Get Mac OS X Kerberos Extras to turn off GSSAPIKeyExchange and GSSAPIDelegateCredentials andersk "(Not strictly Debathena related.) Apparently Kerberos Extras still turns on `GSSAPIKeyExchange` and `GSSAPIDelegateCredentials` by default. `GSSAPIKeyExchange` sounds nifty but turns out to be full of DNS-related security holes (#1384), and `GSSAPIDelegateCredentials` causes tickets to be copied to all kinds of places they shouldn’t be (#205). These options should both be off by default, matching upstream. Turning off `GSSAPIKeyExchange` when it had previously been on might cause users to get a host fingerprint prompt once. If this is unacceptable, it could be mitigated by shipping an extra `known_hosts` file with fingerprints for common hosts, like Debathena does: `GlobalKnownHostsFile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 /etc/ssh/ssh_known_hosts.debathena` (#1386). Turning off `GSSAPIDelegateCredentials` would mean that athena.dialup.mit.edu users will get prompted for a password unless they pass `ssh -K`. Debathena considers this acceptable. If Kerberos Extras does not, it could be mitigated by turning on `GSSAPIDelegateCredentials` for athena.dialup.mit.edu (and related names) only." defect new normal --