+++ This bug was initially created as a clone of Bug #531849 +++ Description of problem: The patch openssh-4.3p2-gssapi-canohost.patch , named patch49 in the spec file, fixes an instance where the DNS name changes such as a DNS round robin. The problem is that if for any reason get_canonical_hostname returns "UNKNOWN", such as the case where the connection is not a socket connection but a pipe (ProxyConnect nc ... ) then gssapi will always fail. This patch replaces the older patch so that it reverts to the old pre-patch behavior if get_canonical_hostname fails. The older behavior uses the hostname provided by the user. Steven (smilner) mentioned also that using the string "UNKNOWN" as a failure might cause problems with the corner case of a host named "unknown". Possibly a better failure return for get_canonical_hostname would help there (a null string?) Version-Release number of selected component (if applicable): openssh-5.2p1-28 How reproducible: Attempt to use GSSAPI auth through a pipe proxy Steps to Reproduce: 1. ssh -D 9999 my.bastion.host -N -f 2. ssh -oProxyCommand="/usr/bin/nc -X 5 -x localhost:9999 %h %p" my.host.with.gssapi Actual results: GSSAPI tries to canonicalize "UNKNOWN" via DNS queries and fails. Expected results: GSSAPI auth works correctly and allows access. --- Additional comment from jchadima on 2009-11-02 08:37:07 EST --- Patch applied in f13 and f12 also. --- Additional comment from fedora-triage-list on 2009-11-16 09:36:30 EST --- This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Please contact RH support at http://www.redhat.com/support/