Applies to: Reported versions of Centrify SSH - 5.3.0+
It is noticed that the default value of GSSAPIStrictAcceptorCheck described in man page does not match with one defined in sshd_config. What is the default value?
The default value is "no", and the value in /etc/centrifydc/ssh/sshd_config is correct: === [root@RH6 ~]# ssh -V OpenSSH_7.2p2 (CentrifyDC build 5.3.1-391) , OpenSSL 1.0.2g-fips 1 Mar 2016
[root@RH6 ~]# cat /etc/centrifydc/ssh/sshd_config | grep GSSAPIStrictAcceptorCheck #GSSAPIStrictAcceptorCheck no ===
This contradiction exists in both Centrify openssh version and stock version, e.g. in stock openssh 7.3: === [root@RH7 ~]# ssh -V OpenSSH_7.3p1, OpenSSL FIPS Object Module v1.2
[root@RH7 ~]# cat /etc/ssh/sshd_config | grep GSSAPIStrictAcceptorCheck #GSSAPIStrictAcceptorCheck no ===
But in man page, it tells the default value of GSSAPIStrictAcceptorCheck is “yes”: === GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. If set to “yes” then the client must authenticate against the host service on the current hostname. If set to “no” then the client may authenticate against any service key stored in the machine's default store. This facility is provided to assist with opera‐ tion on multi homed machines. The default is “yes”. ===
The values defined in Centrify sshd_config file might be different from the stock OpenSSH package for the local operating environment. The native sshd_config and man page align (the default is yes), this information should be fixed by openSSH.