Bug 863350
Summary: | ssh fails GSSAPI/Kerberos authentication when DNS reverse mapping not working | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marko Myllynen <myllynen> |
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 18 | CC: | mattias.ellert, mgrepl, plautrba, ssorce, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-20 16:24:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marko Myllynen
2012-10-05 08:05:21 UTC
Petr, did you happen to have any time to look at this yet, can you reproduce this? Would be great to have this fixed before F18 especially now that FreeIPA 3 is in Fedora and more and more people are starting to use Kerberos. Thanks. I'm finally able to reproduce this. It's probably due to openssh-5.8p1-gssapi-canohost.patch: else if (options.gss_trust_dns) gss_host = get_canonical_hostname(1); - else - gss_host = authctxt->host; + else { + gss_host = get_canonical_hostname(1); + if ( strcmp( gss_host, "UNKNOWN" ) == 0 ) + gss_host = authctxt->host; + } Regardless of the options.gss_trust_dns value, it calls get_canonical_hostname(use_dns = 1) http://koji.fedoraproject.org/koji/taskinfo?taskID=4636337 A temporary build without openssh-5.8p1-gssapi-canohost.patch for testing. However, the change of openssh-5.8p1-gssapi-canohost.patch will be needed instead of dropping it in a regular update. Petr I see no rationale for that patch, nor a comment, can you point me at the discussion/description of why that patch is there and was deemed needed ? I haven't found any discussion too. It's probably originated from https://bugzilla.mindrot.org/show_bug.cgi?id=1008, but it was changed during rebase to 5.8p1. I think that correct patch should look like this: - else if (options.gss_trust_dns) + else if (options.gss_trust_dns) { gss_host = get_canonical_hostname(1); + if ( strcmp( gss_host, "UNKNOWN" ) == 0 ) + gss_host = authctxt->host; + } else gss_host = authctxt->host; get_canonical_hostname() returns "UNKNOWN" for connections which are not on a socket. (In reply to comment #5) > I haven't found any discussion too. It's probably originated from > https://bugzilla.mindrot.org/show_bug.cgi?id=1008, but it was changed during > rebase to 5.8p1. I think that correct patch should look like this: > > - else if (options.gss_trust_dns) > + else if (options.gss_trust_dns) { > gss_host = get_canonical_hostname(1); > + if ( strcmp( gss_host, "UNKNOWN" ) == 0 ) > + gss_host = authctxt->host; > + } > else > gss_host = authctxt->host; > > > get_canonical_hostname() returns "UNKNOWN" for connections which are not on > a socket. With this patch GSSAPITrustDNS controls whether the reverse mapping gets done as expected. The rdns directive in krb5.conf is still ignored but that's a separate issue I think. F18 branch commit 52c8eca4d9521e14bf205abca658893e38c24d9b openssh-5.9p1-27.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openssh-5.9p1-27.fc17 Package openssh-5.9p1-27.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-5.9p1-27.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17409/openssh-5.9p1-27.fc17 then log in and leave karma (feedback). openssh-6.1p1-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/openssh-6.1p1-3.fc18 (In reply to comment #10) > openssh-6.1p1-3.fc18 has been submitted as an update for Fedora 18. The update fixes the issue, Karma added to Bodhi, thanks! openssh-6.1p1-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. openssh-5.9p1-27.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |