Bug 138032

Summary: openssh gssapi kerberos doesn't work with open openssh gssapi
Product: Red Hat Enterprise Linux 4 Reporter: Troy Dawson <dawson>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-09 14:01:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Troy Dawson 2004-11-03 22:46:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20040930

Description of problem:
The openssh that comes in RHEL4 Beta1 can do gssapi kerberose
authentication, between other RHEL4 Beta1 systems.  
But it cannot do this authentication with older versions of openssh
that have the gssapi patch in it.  Such as the openssh that comes with
RHEL 3 that has been recompiled with gss in the name (so that it
automatically sucks in the gssapi patch).

It appears this is because the new openssh (openssh-3.9p1-3) is using
a different gssapi protocol or name than the older openssh
(openssh-3.6.1p2-33.30.1gss).

In a test having 4 machines.  2 setup and kerberized with the new
openssh, and 2 setup and kerberized with the old ssh.
The machines with the new openssh can log into each other, and the
machines with the old openssh can log into each other, but they can't
go from old to new, or new to old.

Here is part of the error when going from old to new
5777: Permission denied (gssapi-with-mic,keyboard-interactive).

Here is part of the errror when going from new to old
Permission denied (external-keyx,gssapi,keyboard-interactive).

It appears that the new gssapi protocol is gssapi-with-mic and it
appears to not be compatible with the old gssapi.

Version-Release number of selected component (if applicable):
openssh-3.9p1-3

How reproducible:
Always

Steps to Reproduce:
1.kerberize 4 machines.  2 have the new openssh-3.6.1p2-33.30.1gss,
and 2 with the old openssh-3.6.1p2-33.30.1gss.
2.Verify that the new openssh machines can log into each other.
3.Verify that the old openssh machines can log into each other.
4. Try to log into a new openssh machine from an old openssh machine -
you cannot do it via kerberos.
5. Try to log into a old openssh machine from a new openssh machine -
you cannot do it via kerberos.
    

Actual Results:  Here is part of the error when going from old to new
5777: Permission denied (gssapi-with-mic,keyboard-interactive).

Here is part of the errror when going from new to old
Permission denied (external-keyx,gssapi,keyboard-interactive).


Expected Results:  You should be able to log in using kerberos from
ssh to ssh.

Additional info:
Comment 1 Bill Nottingham 2004-11-04 05:02:01 UTC 
Correct, the protocol changed (that's why the patch wasn't included
before; the protocol wasn't standardized.)
Comment 2 Troy Dawson 2004-11-04 14:17:00 UTC 
Is there anything I can do for my RHEL 3 admin's that are using the
older patched openssh?  Is there any hope for a patch that will
support both gssapi protocol's?
I know I can always just say "you will move to the new openssh" but
even then there is going to be some time during transitions when the
two types of machines just won't talk together via ssh.
Comment 3 Tomas Mraz 2005-02-09 14:01:27 UTC 
There are currently no plans for such patch.
Comment 4 Troy Dawson 2005-02-09 14:38:50 UTC 
OK, thank you for the response.
I've found a couple different places for the patches, so I should be
fine.