SCIENTIFIC-LINUX-USERS Archives

August 2010

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: openssh gssapi with proxycommand bug
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Tue, 24 Aug 2010 08:45:51 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (51 lines) 
Hi,
We've talked about this and feel it isn't something we have the 
resources to maintain.  Please put this bug in with The Upstream Vendor 
(RedHat).

I'm sorry.
Troy

Joergen Samson wrote:
> Hi, 
>  there is a bug in SL5's openssh client which is introduced by RetHat's 
> 
> openssh-4.3p2-gssapi-canohost.patch, if you use Kerberos5 authentication 
> in
> conjunction with the "ProxyCommand" option.
> 
> To verify the bug run
> 
>  ssh -v -o "ProxyCommand nc %h %p" -o "PasswordAuthentication no" -o
> "PubkeyAuthentication no" -o "GSSAPIAuthentication yes"  $HOST "echo work
> s"
> 
> on a host which allows login with a Kerberos5 ticket.
> 
> On SL5 openssh fails with 
> [...]
> debug1: Next authentication method: gssapi-with-mic
> debug1: An invalid name was supplied
> Hostname cannot be canonicalized
> [...]
> 
> With a vanilla build of openssh this command succeeds.
> 
> The fedora project already uses a fixed version of th
> openssh-4.3p2-gssapi-canohost.path
> 
> http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-4.3p2-gssa
> pi-canohost.patch?sortdir=down&view=log
> 
> Could you backport the fixed patch to the SL5 openssh packages?
> 
> Cheers,
>   Jörgen Samson


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LSCS/CSI/USS Group
__________________________________________________

ATOM RSS1 RSS2