ssh should not try to verify hostkey when only gssapi is used

Bug #28487 reported by Björn Torkelsson
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released

Bug Description

If I only have gssapi-keyx and gssapi-with-mic enabled (everything else is disabled) and I am missing a valid kerberos ticket, openssh asks me if i want to accept the hostkey (unless I already have accepted it). If I have a valid ticket I am not asked to verify the hostkey. When using gssapi/kerberos the hostkeys are pretty useless as the the validity of the host are verified through kerberos/gssapi.


Revision history for this message
Matt Zimmerman (mdz) wrote :

Is this a separate issue from bug #28488?

Revision history for this message
Björn Torkelsson (torkel) wrote :

Yes, they are separate issues.

If you are only using GSSAPI there is no need for the SSH hostkey as the validity of the host is verified through gssapi/kerberos.

Bug #28488 is about when using GSSAPI and connecting to a host it should try both host/shortname and host/fqhn, not only the name you are using to connect with. Actually it is probably better to first try host/fqhn and then host/shortname, as it is probably more common to use host/fqhn@REALM.

Simon Law (sfllaw)
Changed in openssh:
status: Unconfirmed → Confirmed
Revision history for this message
Szymon Scholz (quomoow) wrote :

seems to be fixed (dead)

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers