Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend GSSAPI configuration support to ssh_config #403

Merged
merged 3 commits into from Feb 15, 2021
Merged

Extend GSSAPI configuration support to ssh_config #403

merged 3 commits into from Feb 15, 2021

Conversation

wzzrd
Copy link
Contributor

@wzzrd wzzrd commented Feb 12, 2021

Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.

Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.

It enables both authentication and credential delegation.

@wzzrd
Extend GSSAPI configuration support to ssh_config
8baab75 
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.

Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.

It enables both authentication and credential delegation.

Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
@wzzrd
Copy link
Contributor Author

wzzrd commented Feb 12, 2021

I find that enabling support in the SSH client for both authentication and delegation is appropriate, considering the broardly named variable (ssh_gssapi_support).

Alternatively, the original variable could be renamed sshd_gssapi_support (for clarity), and I could introduce new variables for the authentication and delegation settings in ssh_config valled ssh_gssapi_auth and ssh_gssapi_delegation. Significant downside is changing current behaviour.

Let me know what you think is best.

@schurzi
Copy link
Contributor

schurzi commented Feb 13, 2021

Hey @wzzrd thanks for noticing this. As you already observed, renaming of variables is a bit problematic because of backward compatibility. So I would not like to do this here. We should do stuff like this in a later major release, then we will untangle all variables in one change.

I am currently a bit concerned about directly enabling delegation, because I lack understanding of it and I see parallels to ssh agent forwarding, which might be a security concern (https://documentation.help/PuTTY/config-ssh-auth-gssapi-delegation.html). Because I don't understand it well enough to make an informed descision directly, I prefer to set this to no as a default. I also like the variable name ssh_gssapi_delegation for this.

For enabling GSSAPI support in the client you can keep ssh_gssapi_support if the variable manages configuration for both the client and the server this is consistent with the other variables.

@schurzi schurzi self-requested a review February 13, 2021 16:20
@wzzrd
Split off ssh_gssapi_delegation into own variable
54c8e6a 
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
@wzzrd
Copy link
Contributor Author

wzzrd commented Feb 14, 2021

Updated the PR

@schurzi
add default for new variable
64713ce 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi schurzi merged commit 5d55d29 into dev-sec:master Feb 15, 2021
@schurzi
Copy link
Contributor

schurzi commented Feb 15, 2021

thank you for contributing :)

divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@schurzi
Merge pull request dev-sec#403 from wzzrd/gssapi_client_support
7898346 
Extend GSSAPI configuration support to ssh_config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schurzi schurzi Awaiting requested review from schurzi

Assignees
No one assigned
Labels
enhancement minor ssh_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wzzrd @schurzi