Bug 627139 - gssapi patch from 4.3p2 (patch49) causes gssapi failures when host is accessed via pipe proxy
Summary: gssapi patch from 4.3p2 (patch49) causes gssapi failures when host is accesse...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssh
Version: 5.6
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Jan F. Chadima
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-25 07:44 UTC by Joergen Samson
Modified: 2011-08-19 06:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 531849
Environment:
Last Closed: 2011-08-19 06:31:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Joergen Samson 2010-08-25 07:44:16 UTC
+++ This bug was initially created as a clone of Bug #531849 +++

Description of problem:
The patch openssh-4.3p2-gssapi-canohost.patch , named patch49 in the spec file, fixes an instance where the DNS name changes such as a DNS round robin.  The problem is that if for any reason get_canonical_hostname returns "UNKNOWN", such as the case where the connection is not a socket connection but a pipe (ProxyConnect nc ... ) then gssapi will always fail.

This patch replaces the older patch so that it reverts to the old pre-patch behavior if get_canonical_hostname fails.  The older behavior uses the hostname provided by the user.

Steven (smilner) mentioned also that using the string "UNKNOWN" as a failure might cause problems with the corner case of a host named "unknown".  Possibly a better failure return for get_canonical_hostname would help there (a null string?)

Version-Release number of selected component (if applicable):
openssh-5.2p1-28

How reproducible:
Attempt to use GSSAPI auth through a pipe proxy

Steps to Reproduce:
1. ssh -D 9999 my.bastion.host -N -f
2. ssh -oProxyCommand="/usr/bin/nc -X 5 -x localhost:9999 %h %p" my.host.with.gssapi
  
Actual results:
GSSAPI tries to canonicalize "UNKNOWN" via DNS queries and fails.

Expected results:
GSSAPI auth works correctly and allows access.

--- Additional comment from jchadima on 2009-11-02 08:37:07 EST ---

Patch applied in f13 and f12 also.

--- Additional comment from fedora-triage-list on 2009-11-16 09:36:30 EST ---


This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 1 Jan F. Chadima 2011-07-11 08:53:16 UTC
Please contact RH support at http://www.redhat.com/support/


Note You need to log in before you can comment on or make changes to this bug.