-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend GSSAPI configuration support to ssh_config #403
Conversation
Previously, the ssh_gssapi_support variable only toggled the GSSAPI settings in sshd_config. Through this change, setting ssh_gssapi_support to true also enables support in ssh_config. It enables both authentication and credential delegation. Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
3344071
to
8baab75
Compare
I find that enabling support in the SSH client for both authentication and delegation is appropriate, considering the broardly named variable (ssh_gssapi_support). Alternatively, the original variable could be renamed sshd_gssapi_support (for clarity), and I could introduce new variables for the authentication and delegation settings in ssh_config valled Let me know what you think is best. |
Hey @wzzrd thanks for noticing this. As you already observed, renaming of variables is a bit problematic because of backward compatibility. So I would not like to do this here. We should do stuff like this in a later major release, then we will untangle all variables in one change. I am currently a bit concerned about directly enabling delegation, because I lack understanding of it and I see parallels to ssh agent forwarding, which might be a security concern (https://documentation.help/PuTTY/config-ssh-auth-gssapi-delegation.html). Because I don't understand it well enough to make an informed descision directly, I prefer to set this to For enabling GSSAPI support in the client you can keep |
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
d2ae204
to
54c8e6a
Compare
Updated the PR |
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
thank you for contributing :) |
Extend GSSAPI configuration support to ssh_config
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.
Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.
It enables both authentication and credential delegation.