GSSAPIStrictAcceptorCheck default reverts to no with openssh 7.4 update, resulting in partial Kerberos configured environments failing to authenticate

Solution Verified - Updated -


  • When forwarding tickets, openssh-7.4 connection is closing/dying when gssapi is attempted after update. Client-side debugging shows the following:
    # ssh -v
    debug1: Enabling compatibility mode for protocol 2.0^M
    debug1: Local version string SSH-2.0-OpenSSH_7.4^M
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4^M
    debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000^M
    debug1: Authenticating to as 'root'^M
    debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==^M
    debug1: SSH2_MSG_KEXINIT sent^M
    debug1: SSH2_MSG_KEXINIT received^M
    debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==^M
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256^M
    debug1: kex: server->client cipher: MAC: <implicit> compression: none^M
    debug1: kex: client->server cipher: MAC: <implicit> compression: none^M
    debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
    debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
    debug1: Doing group exchange
    debug1: Calling gss_init_sec_context^M
    debug1: Delegating credentials^M
    ssh_packet_read: Connection closed^M


  • Red Hat Enterprise Linux 7
    • openssh-server-7.4p1-12.el7.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content