Bug 427303 - can't log in using gssapi when also specifying an SELinux role
Summary: can't log in using gssapi when also specifying an SELinux role
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-02 21:49 UTC by Nalin Dahyabhai
Modified: 2008-01-03 17:47 UTC (History)
0 users

Fixed In Version: openssh-4.7p1-7.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-03 17:47:18 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch which seems to work for me (830 bytes, patch)
2008-01-02 21:49 UTC, Nalin Dahyabhai
no flags Details | Diff

Description Nalin Dahyabhai 2008-01-02 21:49:11 UTC
Description of problem:
The patches to sshd which allow it to recognize "user/role" as a user name cause
gssapi authentication to fail when the user's name is specified in this way.

Version-Release number of selected component (if applicable):
openssh-4.7p1-5.fc9

How reproducible:
Always

Steps to Reproduce:
1. Set up gssapi authentication.
2. Attempt to log in while specifying a role, even your default one (by
specifying "user/role", for example "root/unconfined_t" as a user).
  
Actual results:
Client fails to authenticate, falls back to pubkey or password-based auth.  The
server logs this error:
Jan  2 20:34:24 blade sshd[22659]: GSSAPI MIC check failed

Expected results:
No error.

Additional info:
This is documented in section 4 of RFC4462 if a reference is needed.

Comment 1 Nalin Dahyabhai 2008-01-02 21:49:51 UTC
Created attachment 290679 [details]
patch which seems to work for me


Note You need to log in before you can comment on or make changes to this bug.