Red Hat Bugzilla – Bug 627139
gssapi patch from 4.3p2 (patch49) causes gssapi failures when host is accessed via pipe proxy
Last modified: 2011-08-19 02:31:30 EDT
+++ This bug was initially created as a clone of Bug #531849 +++
Description of problem:
The patch openssh-4.3p2-gssapi-canohost.patch , named patch49 in the spec file, fixes an instance where the DNS name changes such as a DNS round robin. The problem is that if for any reason get_canonical_hostname returns "UNKNOWN", such as the case where the connection is not a socket connection but a pipe (ProxyConnect nc ... ) then gssapi will always fail.
This patch replaces the older patch so that it reverts to the old pre-patch behavior if get_canonical_hostname fails. The older behavior uses the hostname provided by the user.
Steven (firstname.lastname@example.org) mentioned also that using the string "UNKNOWN" as a failure might cause problems with the corner case of a host named "unknown". Possibly a better failure return for get_canonical_hostname would help there (a null string?)
Version-Release number of selected component (if applicable):
Attempt to use GSSAPI auth through a pipe proxy
Steps to Reproduce:
1. ssh -D 9999 my.bastion.host -N -f
2. ssh -oProxyCommand="/usr/bin/nc -X 5 -x localhost:9999 %h %p" my.host.with.gssapi
GSSAPI tries to canonicalize "UNKNOWN" via DNS queries and fails.
GSSAPI auth works correctly and allows access.
--- Additional comment from email@example.com on 2009-11-02 08:37:07 EST ---
Patch applied in f13 and f12 also.
--- Additional comment from firstname.lastname@example.org on 2009-11-16 09:36:30 EST ---
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.
More information and reason for this action is here:
Please contact RH support at http://www.redhat.com/support/