Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 3 product line. The current stable release is 3.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 178930

Summary: GSSAPI credentials can be delegated to clients who log in using non-GSSAPI methods
Product: Red Hat Enterprise Linux 3 Reporter: Paul Waterman <paulwaterman>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2798
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-25 19:42:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Waterman 2006-01-25 16:10:21 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915

Description of problem:
It appears that CVE-2005-2798 has not yet been addressed in RHEL 3.0.

From mitre: "sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts."

I can find not mention of backporting this fix into the version of openssh included in RHEL 3.0.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:

  

Additional info:
Comment 1 Tomas Mraz 2006-01-25 19:42:32 UTC 
The GSSAPI authentication isn't included in RHEL-3 and RHEL-2.1 openssh
packages. Although an old GSSAPI patch is included in the source RPM it is not
compiled in.