openssh unix dev - Oct 2008 - GSSAPI Key Exchange on multi-homed host

>From a security standpoint, if the default keytab (/etc/krb5.keytab) 
contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck 
is set to "yes" or "no"?

My company uses an internally built OpenSSH package that includes the 
GSSAPI Key Exchange patch.  Because we have 1000s of hosts, we need to use 
a "standard" sshd_config file that works for the majority of hosts. 
Unfortunately, the current "standard" sshd_config does not set the 
GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore
does not work correctly on the multi-homed hosts.

I'd like to change our standard sshd_config so GSSAPIStrictAcceptorCheck 
defaults to "no", but before doing so, I want to better understand the
implications.

As I understand the GSSAPIStrictAcceptorCheck flag, setting it to
"no",
simply enables matches against more then the 1st principal in 
/etc/krb5.keytab.  So... if there's only one principal in the keytab, it 
seems like it wouldn't matter if GSSAPIStrictAcceptorCheck is set to yes 
or no.  Is that correct?

On Mon, 13 Oct 2008, petesea at bigfoot.com wrote:
> >From a security standpoint, if the default keytab (/etc/krb5.keytab) 
> contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck 
> is set to "yes" or "no"?
> 
> My company uses an internally built OpenSSH package that includes the 
> GSSAPI Key Exchange patch.  Because we have 1000s of hosts, we need to use 
> a "standard" sshd_config file that works for the majority of
hosts.
> Unfortunately, the current "standard" sshd_config does not set
the
> GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and
therefore
> does not work correctly on the multi-homed hosts.
OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a
patch in our bugzilla to add it, and I'd like to review and merge is soon
but it has never been in any version that we have released.

-d