Bug 627139 - gssapi patch from 4.3p2 (patch49) causes gssapi failures when host is accessed via pipe proxy
gssapi patch from 4.3p2 (patch49) causes gssapi failures when host is accesse...
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssh (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Jan F. Chadima
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2010-08-25 03:44 EDT by Joergen Samson
Modified: 2011-08-19 02:31 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 531849
Last Closed: 2011-08-19 02:31:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joergen Samson 2010-08-25 03:44:16 EDT
+++ This bug was initially created as a clone of Bug #531849 +++

Description of problem:
The patch openssh-4.3p2-gssapi-canohost.patch , named patch49 in the spec file, fixes an instance where the DNS name changes such as a DNS round robin.  The problem is that if for any reason get_canonical_hostname returns "UNKNOWN", such as the case where the connection is not a socket connection but a pipe (ProxyConnect nc ... ) then gssapi will always fail.

This patch replaces the older patch so that it reverts to the old pre-patch behavior if get_canonical_hostname fails.  The older behavior uses the hostname provided by the user.

Steven (smilner@redhat.com) mentioned also that using the string "UNKNOWN" as a failure might cause problems with the corner case of a host named "unknown".  Possibly a better failure return for get_canonical_hostname would help there (a null string?)

Version-Release number of selected component (if applicable):

How reproducible:
Attempt to use GSSAPI auth through a pipe proxy

Steps to Reproduce:
1. ssh -D 9999 my.bastion.host -N -f
2. ssh -oProxyCommand="/usr/bin/nc -X 5 -x localhost:9999 %h %p" my.host.with.gssapi
Actual results:
GSSAPI tries to canonicalize "UNKNOWN" via DNS queries and fails.

Expected results:
GSSAPI auth works correctly and allows access.

--- Additional comment from jchadima@redhat.com on 2009-11-02 08:37:07 EST ---

Patch applied in f13 and f12 also.

--- Additional comment from fedora-triage-list@redhat.com on 2009-11-16 09:36:30 EST ---

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 1 Jan F. Chadima 2011-07-11 04:53:16 EDT
Please contact RH support at http://www.redhat.com/support/

Note You need to log in before you can comment on or make changes to this bug.