This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 427303 - can't log in using gssapi when also specifying an SELinux role
can't log in using gssapi when also specifying an SELinux role
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-02 16:49 EST by Nalin Dahyabhai
Modified: 2008-01-03 12:47 EST (History)
0 users

See Also:
Fixed In Version: openssh-4.7p1-7.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-03 12:47:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch which seems to work for me (830 bytes, patch)
2008-01-02 16:49 EST, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Nalin Dahyabhai 2008-01-02 16:49:11 EST
Description of problem:
The patches to sshd which allow it to recognize "user/role" as a user name cause
gssapi authentication to fail when the user's name is specified in this way.

Version-Release number of selected component (if applicable):
openssh-4.7p1-5.fc9

How reproducible:
Always

Steps to Reproduce:
1. Set up gssapi authentication.
2. Attempt to log in while specifying a role, even your default one (by
specifying "user/role", for example "root/unconfined_t" as a user).
  
Actual results:
Client fails to authenticate, falls back to pubkey or password-based auth.  The
server logs this error:
Jan  2 20:34:24 blade sshd[22659]: GSSAPI MIC check failed

Expected results:
No error.

Additional info:
This is documented in section 4 of RFC4462 if a reference is needed.
Comment 1 Nalin Dahyabhai 2008-01-02 16:49:51 EST
Created attachment 290679 [details]
patch which seems to work for me

Note You need to log in before you can comment on or make changes to this bug.