1 #

     2 # GSSAPIStrictAcceptorCheck should default to yes as documented

     3 #

     4 # When GSSAPIStrictAcceptorCheck is not explicitely specified in sshd_config,

     5 # the default value should be yes. It is documented in sshd_config(5) this

     6 # way and it preserves original behavior.

     7 #

     8 # Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange,

     9 # where it make the server willing to negotiate GSS-API key exchange, although

    10 # no keytab was provided.

    11 #

    12 # Patch source: in-house

    13 # Reported upstream:

    14 # https://bugzilla.mindrot.org/show_bug.cgi?id=2637

    15 #

    16 diff -pur old/servconf.c new/servconf.c

    17 --- old/servconf.c

    18 +++ new/servconf.c

    19 @@ -323,7 +323,7 @@ fill_default_server_options(ServerOption

    20  	if (options->gss_cleanup_creds == -1)

    21  		options->gss_cleanup_creds = 1;

    22  	if (options->gss_strict_acceptor == -1)

    23 -		options->gss_strict_acceptor = 0;

    24 +		options->gss_strict_acceptor = 1;

    25  	if (options->password_authentication == -1)

    26  		options->password_authentication = 1;

    27  	if (options->kbd_interactive_authentication == -1)