e8b9919265
- Fix preauth seccomp separation on mainframes (bsc#1016709) [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] - enable case-insensitive hostname matching (bsc#1017099) [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] - add CAVS tests [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] - Adding missing pieces for user matching (bsc#1021626) - Properly verify CIDR masks in configuration (bsc#1005893) [openssh-7.2p2-verify_CIDR_address_ranges.patch] - Remove pre-auth compression support from the server to prevent possible cryptographic attacks. (CVE-2016-10012, bsc#1016370) [openssh-7.2p2-disable_preauth_compression.patch] - limit directories for loading PKCS11 modules (CVE-2016-10009, bsc#1016366) [openssh-7.2p2-restrict_pkcs11-modules.patch] - Prevent possible leaks of host private keys to low-privilege process handling authentication (CVE-2016-10011, bsc#1016369) [openssh-7.2p2-prevent_private_key_leakage.patch] - Do not allow unix socket forwarding when running without privilege separation (CVE-2016-10010, bsc#1016368) [openssh-7.2p2-secure_unix_sockets_forwarding.patch] - prevent resource depletion during key exchange (bsc#1005480, CVE-2016-8858) [openssh-7.2p2-kex_resource_depletion.patch] OBS-URL: https://build.opensuse.org/request/show/500279 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
23 lines
641 B
Plaintext
23 lines
641 B
Plaintext
This version of the Kerbros/GSSAPI support avoids DNS lookups
|
|
for Kerberos-related names. These DNS lookups were problematic
|
|
for dialup users because they would lead to excessive delays
|
|
if DNS was not reachable.
|
|
|
|
In order to disable these lookups, I had to change the default
|
|
configuration, disabling GSSAPI authentication.
|
|
|
|
If you do use Kerberos, please make sure you edit the server and
|
|
client configuration files as follows:
|
|
|
|
/etc/ssh/sshd_config:
|
|
|
|
GSSAPIAuthentication yes
|
|
GSSAPICleanupCredentials yes
|
|
|
|
/etc/ssh/ssh_config:
|
|
Host *
|
|
... lots of other options ...
|
|
GSSAPIAuthentication yes
|
|
GSSAPIDelegateCredentials yes
|
|
|