SCIENTIFIC-LINUX-USERS Archives

August 2010

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
openssh gssapi with proxycommand bug
From:
Joergen Samson <[log in to unmask]>
Reply To:
Joergen Samson <[log in to unmask]>
Date:
Mon, 23 Aug 2010 04:33:28 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (35 lines) 
Hi, 
 there is a bug in SL5's openssh client which is introduced by RetHat's 

openssh-4.3p2-gssapi-canohost.patch, if you use Kerberos5 authentication 
in
conjunction with the "ProxyCommand" option.

To verify the bug run

 ssh -v -o "ProxyCommand nc %h %p" -o "PasswordAuthentication no" -o
"PubkeyAuthentication no" -o "GSSAPIAuthentication yes"  $HOST "echo work
s"

on a host which allows login with a Kerberos5 ticket.

On SL5 openssh fails with 
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Hostname cannot be canonicalized
[...]

With a vanilla build of openssh this command succeeds.

The fedora project already uses a fixed version of th
openssh-4.3p2-gssapi-canohost.path

http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-4.3p2-gssa
pi-canohost.patch?sortdir=down&view=log

Could you backport the fixed patch to the SL5 openssh packages?

Cheers,
  Jörgen Samson

ATOM RSS1 RSS2