Bug 627139

Summary: gssapi patch from 4.3p2 (patch49) causes gssapi failures when host is accessed via pipe proxy
Product: Red Hat Enterprise Linux 5 Reporter: Joergen Samson <joergen.samson>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: dash, jchadima, mgrepl, pvrabec, rmonk, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 531849 Environment:
Last Closed: 2011-08-19 06:31:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joergen Samson 2010-08-25 07:44:16 UTC 
+++ This bug was initially created as a clone of Bug #531849 +++

Description of problem:
The patch openssh-4.3p2-gssapi-canohost.patch , named patch49 in the spec file, fixes an instance where the DNS name changes such as a DNS round robin.  The problem is that if for any reason get_canonical_hostname returns "UNKNOWN", such as the case where the connection is not a socket connection but a pipe (ProxyConnect nc ... ) then gssapi will always fail.

This patch replaces the older patch so that it reverts to the old pre-patch behavior if get_canonical_hostname fails.  The older behavior uses the hostname provided by the user.

Steven (smilner) mentioned also that using the string "UNKNOWN" as a failure might cause problems with the corner case of a host named "unknown".  Possibly a better failure return for get_canonical_hostname would help there (a null string?)

Version-Release number of selected component (if applicable):
openssh-5.2p1-28

How reproducible:
Attempt to use GSSAPI auth through a pipe proxy

Steps to Reproduce:
1. ssh -D 9999 my.bastion.host -N -f
2. ssh -oProxyCommand="/usr/bin/nc -X 5 -x localhost:9999 %h %p" my.host.with.gssapi
  
Actual results:
GSSAPI tries to canonicalize "UNKNOWN" via DNS queries and fails.

Expected results:
GSSAPI auth works correctly and allows access.

--- Additional comment from jchadima on 2009-11-02 08:37:07 EST ---

Patch applied in f13 and f12 also.

--- Additional comment from fedora-triage-list on 2009-11-16 09:36:30 EST ---


This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 1 Jan F. Chadima 2011-07-11 08:53:16 UTC 
Please contact RH support at http://www.redhat.com/support/