Some of the Kerberos dependencies can almost certainly be trimmed from a modern ssh, I think.

Of all the discussion on the list, the one that resonated most was hardening the main ssh by dropping unnecessary dependencies. Saying "you can't use Kerberos to log in to the shell, and it won't be logged to systemd" seems like it would inconvenience no one and gain a tiny bit of extra peace of mind.

On the other hand, debugging why ssh won't let you log in when the cause is a mismatch in crypto algorithms supported is a nightmare...

--scott

On Thu, Apr 18, 2024, 8:25 AM Mike Zanker via BitFolk Users <users@mailman.bitfolk.com> wrote:

On 18 Apr 2024, at 16:10, Le Lay via BitFolk Users <users@mailman.bitfolk.com> wrote:

> You really have a weird sshd
> alarig@msi ~ $ ldd /usr/sbin/sshd
> linux-vdso.so.1 (0x00007ffd42dec000)
> libcrypt.so.2 => /usr/lib64/libcrypt.so.2 (0x00007fb41f12b000)
> libpam.so.0 => /usr/lib64/libpam.so.0 (0x00007fb41f11a000)
> libcrypto.so.3 => /usr/lib64/libcrypto.so.3 (0x00007fb41ece5000)
> libz.so.1 => /usr/lib64/libz.so.1 (0x00007fb41eccb000)
> libc.so.6 => /lib64/libc.so.6 (0x00007fb41eb0d000)
> /lib64/ld-linux-x86-64.so.2 (0x00007fb41f261000)

I have the same /usr/sbin/sshd as Andy - looks like the one that comes with Debian 12.

Mike

_______________________________________________
BitFolk Users mailing list <users@mailman.bitfolk.com>
You're subscribed as <cscott@cscott.net>
Unsubscribe: <https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave@mailman.bitfolk.com>