oss-sec mailing list archives
Re: OpenSSH GSSAPI keyex patch issue
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 18 Mar 2026 12:17:11 -0400
On Sat, Mar 14, 2026 at 3:51 PM Solar Designer <solar () openwall com> wrote:
[...] Red Hat has now acknowledged that RHEL 8, 9, 10 are also affected (but 6 and 7 are not): https://access.redhat.com/security/cve/cve-2026-3497 They suggest setting "GSSAPIAuthentication no" to mitigate this, which I find puzzling. Per the brief discussion we had on the distros list pre-disclosure, it appeared that GSSAPIKeyExchange is the option, and moreover it was said that GSSAPIKeyExchange could conceivably be used without GSSAPIAuthentication. So which of these two options is/are actually responsible for exposing the vulnerability? Does it maybe vary by patch revision (Debian vs. Red Hat) or (more likely?) is this just an error in the current Red Hat statement?
It might be worth mentioning that GSSAPIAuthentication is provided by upstream OpenSSH. GSSAPIKeyExchange is provided by Debian and Fedora patches. See <https://www.reddit.com/r/FreeIPA/comments/1ipjlgq/ssh_gssapikeyexchange_off_by_default/>. Jeff
Current thread:
- OpenSSH GSSAPI keyex patch issue Marc Deslauriers (Mar 12)
- Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 14)
- Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 14)
- Re: OpenSSH GSSAPI keyex patch issue Jeffrey Walton (Mar 18)
- Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 18)
- Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 18)
- Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 18)
- Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 18)
- Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 14)