Excellent - this substantially reduces the amount of pre-authentication attack surface exposed on your users' sshd by default. On Fri, 30 Aug 2024, Colin Watson wrote: > On Tue, Apr 02, 2024 at 01:30:11AM +0100, Colin Watson wrote: > > * for Debian trixie (current testing): > > > > * add dependency-only packages called something like > > openssh-client-gsskex and openssh-server-gsskex, depending on their > > non-gsskex alternatives > > * add NEWS.Debian entry saying that people need to install these > > packages if they want to retain GSS-API key exchange support > > This is now implemented in Debian unstable. I called the packages > openssh-client-gssapi and openssh-server-gssapi, with the intention of > splitting out both GSS-API authentication and key exchange support > later: that is, in trixie+1 I intend to build openssh without > --with-kerberos5 as well as dropping the key exchange patch from the > main packages, and you'd have to use openssh-*-gssapi for either > function. > > -- > Colin Watson (he/him) [cjwatson@xxxxxxxxxx] > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
