ssh should not try to verify hostkey when only gssapi is used

Bug #28487 reported by Björn Torkelsson
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released

Bug Description

If I only have gssapi-keyx and gssapi-with-mic enabled (everything else is disabled) and I am missing a valid kerberos ticket, openssh asks me if i want to accept the hostkey (unless I already have accepted it). If I have a valid ticket I am not asked to verify the hostkey. When using gssapi/kerberos the hostkeys are pretty useless as the the validity of the host are verified through kerberos/gssapi.


Revision history for this message
Matt Zimmerman (mdz) wrote :

Is this a separate issue from bug #28488?

Revision history for this message
Björn Torkelsson (torkel) wrote :

Yes, they are separate issues.

If you are only using GSSAPI there is no need for the SSH hostkey as the validity of the host is verified through gssapi/kerberos.

Bug #28488 is about when using GSSAPI and connecting to a host it should try both host/shortname and host/fqhn, not only the name you are using to connect with. Actually it is probably better to first try host/fqhn and then host/shortname, as it is probably more common to use host/fqhn@REALM.

Simon Law (sfllaw)
Changed in openssh:
status: Unconfirmed → Confirmed
Revision history for this message
Szymon Scholz (quomoow) wrote :

seems to be fixed (dead)

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.