Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: Generate New Ti...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-9.4, rhel-9.4.z
Component/s: openssh
Labels:
- Accepted
- CY25Q3
- Committed
- rn-yml

Fixed in Build:
openssh-9.9p1-11.el10
Regression:
None
Severity:
Moderate
Epic Link:
CRYPTO-16195
Keywords:

FutureFeature
sprint_count:
2

AssignedTeam:
rhel-security-crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
Crypto25Q2, Crypto25July

Acceptance Criteria:

Hide

AC: When authentication indicators option is defined in sshd_config, the OpenSSH server reject any kerberos ticket that does not meet the specified indicators and the reason is correctly logged

Show
AC: When authentication indicators option is defined in sshd_config, the OpenSSH server reject any kerberos ticket that does not meet the specified indicators and the reason is correctly logged
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148796
Gating Tests:

Not Needed
Test Coverage:

New Test Coverage

Release Note Type:
Enhancement
Release Note Text:

Hide
.OpenSSH server supports Kerberos authentication indicators

When in Match configuration, OpenSSH server supports authentication indicators from Kerberos tickets. If the `GSSAPIIndicators` option is defined in `sshd` configuration, a Kerberos ticket that has indicators but does not match the policy is denied. If at least one indicator is configured, whether for access or denial, tickets without authentication indicators are explicitly rejected. For more information, see the `sshd_config(5)` man page on your system.

Show
.OpenSSH server supports Kerberos authentication indicators When in Match configuration, OpenSSH server supports authentication indicators from Kerberos tickets. If the `GSSAPIIndicators` option is defined in `sshd` configuration, a Kerberos ticket that has indicators but does not match the policy is denied. If at least one indicator is configured, whether for access or denial, tickets without authentication indicators are explicitly rejected. For more information, see the `sshd_config(5)` man page on your system.
Release Note Status:
Done
ProdDocsReview-CCS:
Done
ProdDocsReview-Dev:
Done
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

All

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

We are starting to get requests for this feature due to the US Government OMB mandate M-22-09: (III.A.3) "When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user".

We are trying to enforce authentication indicators in Kerberos when using OpenSSH.

I believe that https://github.com/openssh/openssh-portable/compare/master...abbra:openssh-portable:gssapi-indicators has already implemented this.

links to

RHSA-2025:148796 openssh security update

Assignee:: Dmitry Belyavskiy

Reporter:: Mike Ralph

Developer:: Dmitry Belyavskiy

QA Contact:: Miluse Bezo Konecna

Doc Contact:: Zuzana Fantini Zoubkova

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/06/11 7:37 PM

Updated:: 2025/11/11 8:51 AM

Resolved:: 2025/11/11 8:51 AM

Target end:: 2025/08/25

Next Planned Release Date:: 2025/11/11

Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates