[OmniOS-discuss] Disabling GSSAPI Key Exchange from future OpenSSH?
Alex Wilson
alex at cooperi.net
Mon Dec 19 22:56:18 UTC 2016
On 12/19/16 1:52 PM, Michael Rasmussen wrote:
> On Mon, 19 Dec 2016 13:13:19 -0800
> Alex Wilson <alex at cooperi.net> wrote:
>
>>
>> Are you using GSS key exchange with an AD environment? If so, is that
>> part as critical as the authentication for your use case? I'd be curious
>> to hear any details of your setup if you wouldn't mind sharing.
>>
> key exchange is required to be a first class citizen in an AD realm.
>
Do you have any links to explanations as to why this is? Or further
hints for what I should look at? I can easily understand why GSSAPI
authentication (at least gssapi-with-mic) is needed, but I can't seem to
find anything by Googling about gssapi-keyex and AD and why it would be
required. I have set up SSH servers in AD environments before myself and
only used gssapi-with-mic, but I certainly don't claim to be an expert
in it.
In your deployment, do you still generate host keys for your machines?
>From what I've read about it, the only advantage of the gssapi-keyex
method is that you don't need host keys (i.e. /etc/ssh/ssh_host_*_key
files) and you never see "The authenticity of host 'blah (1.2.3.4)'
can't be established. Are you sure you want to continue connecting
(yes/no)?" prompts. Is there something I'm missing here?
I apologise if it feels like I'm wasting your time on this, but I
genuinely would like to understand the issues here.
More information about the OmniOS-discuss
mailing list