Well. It complains that it can't find any hostkeys when started (and when logging in) but it works perfectly well without hostkeys when using GSSAPI. As we are only allowing GSSAPI on most of our machines there is really no need for the hostkey as the host authenticity is established using the GSSAPI keytab. Actually, getting the question about authenticity and adding it to know_hosts is bogus as the host is validated by other means and the only allowed mechanism are gssapi-keyex are gssapi-with-mic which are not using the hostkeys and thus the login will fail anyway if you don't have any valid kerberos/gssapi key, but not until you have accepted the hostkey. If you have a valid key you don't get the question about host authenticity.
In my opinion ssh should be patched not "requiring" hostkeys (when using only GSSAPI), instead of automatically generating hostkeys.
Yes I think the keys are generated on installation, but you can always deleted them if you don't need them or if you don't want to share them, which is what this bug is about.
sshd_config attached used together with the following ssh-config:
Well. It complains that it can't find any hostkeys when started (and when logging in) but it works perfectly well without hostkeys when using GSSAPI. As we are only allowing GSSAPI on most of our machines there is really no need for the hostkey as the host authenticity is established using the GSSAPI keytab. Actually, getting the question about authenticity and adding it to know_hosts is bogus as the host is validated by other means and the only allowed mechanism are gssapi-keyex are gssapi-with-mic which are not using the hostkeys and thus the login will fail anyway if you don't have any valid kerberos/gssapi key, but not until you have accepted the hostkey. If you have a valid key you don't get the question about host authenticity.
In my opinion ssh should be patched not "requiring" hostkeys (when using only GSSAPI), instead of automatically generating hostkeys.
Yes I think the keys are generated on installation, but you can always deleted them if you don't need them or if you don't want to share them, which is what this bug is about.
sshd_config attached used together with the following ssh-config:
ForwardX11 yes hange yes tication yes teCredentials yes hentications gssapi- keyex,gssapi- with-mic yChecking ask
GSSAPIKeyExc
GSSAPIAuthen
GSSAPIDelega
PreferredAut
Protocol 2
Cipher blowfish
SendEnv LANG LC_*
StrictHostKe
HashKnownHosts no