138032 – openssh gssapi kerberos doesn't work with open openssh gssapi

Bug 138032 - openssh gssapi kerberos doesn't work with open openssh gssapi

Summary: openssh gssapi kerberos doesn't work with open openssh gssapi

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-03 22:46 UTC by Troy Dawson
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-09 14:01:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Troy Dawson 2004-11-03 22:46:34 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20040930

Description of problem:
The openssh that comes in RHEL4 Beta1 can do gssapi kerberose
authentication, between other RHEL4 Beta1 systems.  
But it cannot do this authentication with older versions of openssh
that have the gssapi patch in it.  Such as the openssh that comes with
RHEL 3 that has been recompiled with gss in the name (so that it
automatically sucks in the gssapi patch).

It appears this is because the new openssh (openssh-3.9p1-3) is using
a different gssapi protocol or name than the older openssh
(openssh-3.6.1p2-33.30.1gss).

In a test having 4 machines.  2 setup and kerberized with the new
openssh, and 2 setup and kerberized with the old ssh.
The machines with the new openssh can log into each other, and the
machines with the old openssh can log into each other, but they can't
go from old to new, or new to old.

Here is part of the error when going from old to new
5777: Permission denied (gssapi-with-mic,keyboard-interactive).

Here is part of the errror when going from new to old
Permission denied (external-keyx,gssapi,keyboard-interactive).

It appears that the new gssapi protocol is gssapi-with-mic and it
appears to not be compatible with the old gssapi.

Version-Release number of selected component (if applicable):
openssh-3.9p1-3

How reproducible:
Always

Steps to Reproduce:
1.kerberize 4 machines.  2 have the new openssh-3.6.1p2-33.30.1gss,
and 2 with the old openssh-3.6.1p2-33.30.1gss.
2.Verify that the new openssh machines can log into each other.
3.Verify that the old openssh machines can log into each other.
4. Try to log into a new openssh machine from an old openssh machine -
you cannot do it via kerberos.
5. Try to log into a old openssh machine from a new openssh machine -
you cannot do it via kerberos.
    

Actual Results:  Here is part of the error when going from old to new
5777: Permission denied (gssapi-with-mic,keyboard-interactive).

Here is part of the errror when going from new to old
Permission denied (external-keyx,gssapi,keyboard-interactive).


Expected Results:  You should be able to log in using kerberos from
ssh to ssh.

Additional info:

Comment 1 Bill Nottingham 2004-11-04 05:02:01 UTC

Correct, the protocol changed (that's why the patch wasn't included
before; the protocol wasn't standardized.)

Comment 2 Troy Dawson 2004-11-04 14:17:00 UTC

Is there anything I can do for my RHEL 3 admin's that are using the
older patched openssh?  Is there any hope for a patch that will
support both gssapi protocol's?
I know I can always just say "you will move to the new openssh" but
even then there is going to be some time during transitions when the
two types of machines just won't talk together via ssh.

Comment 3 Tomas Mraz 2005-02-09 14:01:27 UTC

There are currently no plans for such patch.

Comment 4 Troy Dawson 2005-02-09 14:38:50 UTC

OK, thank you for the response.
I've found a couple different places for the patches, so I should be
fine.

Note You need to log in before you can comment on or make changes to this bug.