Bug 427303

Summary: can't log in using gssapi when also specifying an SELinux role
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-4.7p1-7.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-03 12:47:18 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
patch which seems to work for me none

Description Nalin Dahyabhai 2008-01-02 16:49:11 EST
Description of problem:
The patches to sshd which allow it to recognize "user/role" as a user name cause
gssapi authentication to fail when the user's name is specified in this way.

Version-Release number of selected component (if applicable):
openssh-4.7p1-5.fc9

How reproducible:
Always

Steps to Reproduce:
1. Set up gssapi authentication.
2. Attempt to log in while specifying a role, even your default one (by
specifying "user/role", for example "root/unconfined_t" as a user).
  
Actual results:
Client fails to authenticate, falls back to pubkey or password-based auth.  The
server logs this error:
Jan  2 20:34:24 blade sshd[22659]: GSSAPI MIC check failed

Expected results:
No error.

Additional info:
This is documented in section 4 of RFC4462 if a reference is needed.
Comment 1 Nalin Dahyabhai 2008-01-02 16:49:51 EST
Created attachment 290679 [details]
patch which seems to work for me