Bug#409360: openssh-client: Disabling GSSAPIAuthentication option by default
Colin Watson <cjwatson@debian.org> writes:
> On Fri, Mar 30, 2007 at 12:32:48PM -0700, Russ Allbery wrote:
>> Do we know which lookup in particular is hanging? I had originally
>> thought that it was the lookups for the KDCs, but it sounds like that
>> may not be the case. That's good news -- there isn't much that can be
>> done about the KDC lookups without some longer-term upstream projects,
>> but if it's something else, it may be easier to fix.
> It's the one from gss_import_name (called from ssh_gss_import_name), I
> believe.
Ah, yes. Which calls krb5_sname_to_principal to try to figure out what
credentials to attempt to acquire, which in turn does:
struct addrinfo *ai, hints;
int err;
char hnamebuf[NI_MAXHOST];
/* Note that the old code would accept numeric addresses,
and if the gethostbyaddr step could convert them to
real hostnames, you could actually get reasonable
results. If the mapping failed, you'd get dotted
triples as realm names. *sigh*
The latter has been fixed in hst_realm.c, but we should
keep supporting numeric addresses if they do have
hostnames associated. */
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
if (hints.ai_family == AF_INET) {
/* Just in case it's an IPv6-only name. */
hints.ai_family = 0;
goto try_getaddrinfo_again;
}
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
if (!remote_host) {
freeaddrinfo(ai);
return ENOMEM;
}
if (maybe_use_reverse_dns(context, DEFAULT_RDNS_LOOKUP)) {
/*
* Do a reverse resolution to get the full name, just in
* case there's some funny business going on. If there
* isn't an in-addr record, give up.
*/
/* XXX: This is *so* bogus. There are several cases where
this won't get us the canonical name of the host, but
this is what we've trained people to expect. We'll
probably fix it at some point, but let's try to
preserve the current behavior and only shake things up
once when it comes time to fix this lossage. */
err = getnameinfo(ai->ai_addr, ai->ai_addrlen,
hnamebuf, sizeof(hnamebuf), 0, 0, NI_NAMEREQD);
freeaddrinfo(ai);
if (err == 0) {
free(remote_host);
remote_host = strdup(hnamebuf);
if (!remote_host)
return ENOMEM;
}
}
You can turn off the reverse DNS lookup by setting rdns to false in
[libdefaults] in krb5.conf, but this means that the Kerberos library
doesn't canonicalize the hostname for you, which is a change in behavior.
As the comment notes, the Kerberos library really shouldn't be doing this,
but it's been done this way for so long that it's a disruptive change to
stop. This is really the wrong behavior for SSH in general, since SSH has
its own concept of host canonicalization that's handled through local
configuration, but Kerberos doesn't know it's being called by SSH.
However, before calling this function, gss_import_name creates a Kerberos
context, which means that this should all fail much earlier if one doesn't
have a krb5.conf file. So people who don't have krb5-config installed
won't see this, even if reverse DNS is broken. Unfortunately, the code
has no idea whether you have a ticket cache until much later, so if you
have the configuration available, this will all happen even if you don't
have Kerberos tickets (I think).
Personally, I think this bug lies with whatever package is installing a
broken reverse DNS setup that not only doesn't work but that takes forever
to time out. But I realize that it's annoying to people and users don't
really care *where* the problem is coming from.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: