similar to: GSSAPI Key Exchange Patch

>From a security standpoint, if the default keytab (/etc/krb5.keytab) contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck is set to "yes" or "no"? My company uses an internally built OpenSSH package that includes the GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use a "standard" sshd_config file that works for the

Is it possible to move a server's public and private keys from one host to another? Or perhaps a better way to ask what I really want... is it possible to configure a server on a new host to return the same public key it did on the old host? I'm in the process of migrating our CVS server from a Solaris host to a Linux host (this weekend) and I just realized the hostkey is going to

I'm randomly getting the following error on a server from various remote hosts: ssh_exchange_identification: Connection closed by remote host The server is running OpenSSH 4.5p1 w/GSSAPI Key Exchange patch. The hosts connecting to it should all be using OpenSSH 5.0p1 w/GSSAPI Key Exchange patch and using gssapi-keyex authentication. Normally, when I've seen this error, it means

Now that RFC 4462 has been published, I was wondering if there would be any interest in looking again at integrating the key exchange portions of my GSSAPI patch into the OpenSSH tree? As I've mentioned before, key exchange has significant benefits for large sites as it allows them to use Kerberos to authenticate ssh hosts, and removes the need to maintain and distribute ssh known_hosts

Hi All. Markus has commited the long-awaited GSSAPI patch to OpenBSD's ssh. There are patches. The first [1] is a straightforward port of the OpenBSD code to Portable. The second [2] contains the parts I've stolen from Simon Wilkinson's portable GSSAPI patch in an attempt to make it build. It is incomplete and doesn't currently work. The PAM support is not there and

http://bugzilla.mindrot.org/show_bug.cgi?id=751 Summary: KRB5CCNAME set incorrectly in GSSAPI code Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: openssh-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=1218 Summary: GSSAPI client code permits SPNEGO usage Product: Portable OpenSSH Version: 4.3p2 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: bitbucket at mindrot.org ReportedBy:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm pleased to (finally) announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for doing GSSAPI user authentication, this only allows the underlying security mechanism to authenticate the user to the server, and continues to use SSH host keys to authenticate the server to the

Last June I asked the following question, but didn't receive any responses: http://marc.info/?l=openssh-unix-dev&m=124406679122871&w=2 I just did the same test using openssh-5.3p1 and the results are the same. Is this a bug? Or intentional? If it's a bug, I'll report it. If it's intentional, any chance it could be changed? Or a server-side way to override it?

Has anyone successfully built openssh with MIT's KfW (Kerberos for Windows) under Cygwin? Is it even possible? Searching around I found one reference to Nicolas Williams attempting to do this several years ago, but no indication of success and nothing more recent. http://www.cygwin.com/ml/cygwin/2002-01/msg00100.html What about compiling openssh using a native windows compiler? Is

Is there any way to define openssh options via an env var? Something like: SSH_OPTIONS='-oBatchMode=yes ...' or SSH_CONFIG=/path/to/alternate/ssh_config The reason I'd like to be able to use this is so I can override certain options without interfering with the users normal configuration file. In the case of commands that indirectly call ssh, like cvs, there's no way

I'm using Cygwin OpenSSH 5.1 on a Windows XP SP3 system. Is sshd supposed to create a new "login session" for each user that logs in? Or, is there a way to force it to create a new "login session" for each user that logs in? Once logged in, I'm trying to use the Kerberos for Windows command line utilities (klist/kinit), but I'm told by one of the KfW

Starting with openssh 5.1 the following code fails (when executed on a remote host)... prior to 5.0 this worked, ie S_ISSOCK says STDIN is a socket. struct stat s; fstat(STDIN_FILENO, &s); if (S_ISSOCK(s.st_mode)) // STDIN is a socket else // STDIN is not a socket Soo... if I have a command on a remote host that includes the above code and I ssh to the remote host

How difficult would it be to enhance the client ssh_config file to allow command-based declarations similar to that provided by the "Host" keyword? The main reason I need something like this is when ssh is used via CVS and Subversion. I want all CVS/Subversion traffic to use a different SSH port and different authentication options. So... you might have an ssh_config file that

https://bugzilla.mindrot.org/show_bug.cgi?id=1752 Summary: Test port not available during make tests Product: Portable OpenSSH Version: 5.4p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: unassigned-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #5 from simon at sxw.org.uk 2006-08-19 08:28 ------- There isn't an easy fix for this, at

https://bugzilla.mindrot.org/show_bug.cgi?id=1276 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1233| |ok+ Flag| |

https://bugzilla.mindrot.org/show_bug.cgi?id=1719 Summary: Debug server prints debug messages on client Product: Portable OpenSSH Version: 5.4p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Summary: Memory leak caused by forwarded GSSAPI credential store Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at

Hi, Just wondering if anyone was looking at implementing draft-ietf-secsh-gsskeyex-00 in OpenSSH? My patches for SSH version 1 Kerberos 5 support (heavily based upon work done by Dan Kouril) are now available from http://www.sxw.org.uk/computing/patches/ Is there any interest in integrating these into the distribution? If so, I'd be happy to update them to the development version. Cheers,