Bug 138032 - openssh gssapi kerberos doesn't work with open openssh gssapi
openssh gssapi kerberos doesn't work with open openssh gssapi
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-03 17:46 EST by Troy Dawson
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-09 09:01:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Troy Dawson 2004-11-03 17:46:34 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20040930

Description of problem:
The openssh that comes in RHEL4 Beta1 can do gssapi kerberose
authentication, between other RHEL4 Beta1 systems.  
But it cannot do this authentication with older versions of openssh
that have the gssapi patch in it.  Such as the openssh that comes with
RHEL 3 that has been recompiled with gss in the name (so that it
automatically sucks in the gssapi patch).

It appears this is because the new openssh (openssh-3.9p1-3) is using
a different gssapi protocol or name than the older openssh
(openssh-3.6.1p2-33.30.1gss).

In a test having 4 machines.  2 setup and kerberized with the new
openssh, and 2 setup and kerberized with the old ssh.
The machines with the new openssh can log into each other, and the
machines with the old openssh can log into each other, but they can't
go from old to new, or new to old.

Here is part of the error when going from old to new
5777: Permission denied (gssapi-with-mic,keyboard-interactive).

Here is part of the errror when going from new to old
Permission denied (external-keyx,gssapi,keyboard-interactive).

It appears that the new gssapi protocol is gssapi-with-mic and it
appears to not be compatible with the old gssapi.

Version-Release number of selected component (if applicable):
openssh-3.9p1-3

How reproducible:
Always

Steps to Reproduce:
1.kerberize 4 machines.  2 have the new openssh-3.6.1p2-33.30.1gss,
and 2 with the old openssh-3.6.1p2-33.30.1gss.
2.Verify that the new openssh machines can log into each other.
3.Verify that the old openssh machines can log into each other.
4. Try to log into a new openssh machine from an old openssh machine -
you cannot do it via kerberos.
5. Try to log into a old openssh machine from a new openssh machine -
you cannot do it via kerberos.
    

Actual Results:  Here is part of the error when going from old to new
5777: Permission denied (gssapi-with-mic,keyboard-interactive).

Here is part of the errror when going from new to old
Permission denied (external-keyx,gssapi,keyboard-interactive).


Expected Results:  You should be able to log in using kerberos from
ssh to ssh.

Additional info:
Comment 1 Bill Nottingham 2004-11-04 00:02:01 EST
Correct, the protocol changed (that's why the patch wasn't included
before; the protocol wasn't standardized.)
Comment 2 Troy Dawson 2004-11-04 09:17:00 EST
Is there anything I can do for my RHEL 3 admin's that are using the
older patched openssh?  Is there any hope for a patch that will
support both gssapi protocol's?
I know I can always just say "you will move to the new openssh" but
even then there is going to be some time during transitions when the
two types of machines just won't talk together via ssh.
Comment 3 Tomas Mraz 2005-02-09 09:01:27 EST
There are currently no plans for such patch.
Comment 4 Troy Dawson 2005-02-09 09:38:50 EST
OK, thank you for the response.
I've found a couple different places for the patches, so I should be
fine.  

Note You need to log in before you can comment on or make changes to this bug.