[32926] in Kerberos
Re: GSSAPI Issue
daemon@ATHENA.MIT.EDU (Garrett Wollman)
Wed Nov 24 14:45:07 2010
From: wollman@bimajority.org (Garrett Wollman)
Date: Wed, 24 Nov 2010 19:19:05 +0000 (UTC)
Message-ID: <icjof9$28ne$1@grapevine.csail.mit.edu>
X-Complaints-To: security@csail.mit.edu
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In article <mailman.422.1290620369.20243.kerberos@mit.edu>,
Greg Hudson <ghudson@MIT.EDU> wrote:
>Note that forwarding credentials has security implications, in that it
>allows the server to do things on your behalf that it wouldn't otherwise
>be able to do. If you elect set GSSAPIDelegateCredentials yes in
>ssh_config, you may wish to restrict it to a Host section.
Right. We do it like this:
Host *.mit.edu
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
Host *.*
GSSAPIDelegateCredentials no
Host *
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
(The last section might be OBE by now.)
-GAWollman
--
Garrett A. Wollman | What intellectual phenomenon can be older, or more oft
wollman@bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers. | accepted by all practitioners? - S.J. Gould, 1993
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
