Ubuntu

ssh should not try to verify hostkey when only gssapi is used

Reported by Björn Torkelsson on 2006-01-13
6
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Wishlist
Unassigned

Bug Description

If I only have gssapi-keyx and gssapi-with-mic enabled (everything else is disabled) and I am missing a valid kerberos ticket, openssh asks me if i want to accept the hostkey (unless I already have accepted it). If I have a valid ticket I am not asked to verify the hostkey. When using gssapi/kerberos the hostkeys are pretty useless as the the validity of the host are verified through kerberos/gssapi.

/torkel

Matt Zimmerman (mdz) wrote :

Is this a separate issue from bug #28488?

Björn Torkelsson (torkel) wrote :

Yes, they are separate issues.

If you are only using GSSAPI there is no need for the SSH hostkey as the validity of the host is verified through gssapi/kerberos.

Bug #28488 is about when using GSSAPI and connecting to a host it should try both host/shortname and host/fqhn, not only the name you are using to connect with. Actually it is probably better to first try host/fqhn and then host/shortname, as it is probably more common to use host/fqhn@REALM.

Simon Law (sfllaw) on 2006-05-05
Changed in openssh:
status: Unconfirmed → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers