[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#406458: marked as done (ssh-krb5: GSSAPI authentication fails against DNS-round-robin hosts)

Your message dated Tue, 12 Jun 2007 20:21:16 +0100
with message-id <20070612192116.GM4163@riva.ucam.org>
and subject line Bug#406458: ssh-krb5: GSSAPI authentication fails against DNS-round-robin hosts
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ssh-krb5
Version: 3.8.1p1-7sarge1
Severity: normal
Tags: patch

GSSAPI authentication insists on doing a second DNS lookup when trying
to figure what credentials to get, instead of using the IP of the currently-connected
server. For quickly-changing replies (e.g. Round-Robin
loadbalancing over DNS), this leads to getting a service ticket for the
wrong host.

This is filed in upstream openssh as
  http://bugzilla.mindrot.org/show_bug.cgi?id=1008
and includes patches (one simple, one more elaborate). Given that these
have been lingering for a while, please consider patching the Debian
version... our users really are affected by this.

TIA
Jan

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.6-xen
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ssh-krb5 depends on:
ii  adduser               3.63               Add and remove users and groups
ii  debconf               1.4.30.13          Debian configuration management sy
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libcomerr2            1.37-2sarge1       common error description library
ii  libkrb53              1.3.6-2sarge3      MIT Kerberos runtime libraries
ii  libpam-runtime        0.76-22            Runtime support for the PAM librar
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  libssl0.9.7           0.9.7e-3sarge4     SSL shared libraries
ii  libwrap0              7.6.dbs-8          Wietse Venema's TCP wrappers libra
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:4.3p2-1

On Thu, Jan 11, 2007 at 04:00:23AM -0600, Jan Iven wrote:
> Package: ssh-krb5
> Version: 3.8.1p1-7sarge1
> Severity: normal
> Tags: patch
> 
> GSSAPI authentication insists on doing a second DNS lookup when trying
> to figure what credentials to get, instead of using the IP of the currently-connected
> server. For quickly-changing replies (e.g. Round-Robin
> loadbalancing over DNS), this leads to getting a service ticket for the
> wrong host.
> 
> This is filed in upstream openssh as
>   http://bugzilla.mindrot.org/show_bug.cgi?id=1008
> and includes patches (one simple, one more elaborate). Given that these
> have been lingering for a while, please consider patching the Debian
> version... our users really are affected by this.

This bug was fixed by a newer version of Simon Wilkinson's GSSAPI patch
a while back (1:4.3p2-1) and is fixed in etch, so I'm recording that
now. I've no objection to it being fixed in sarge, but I think you'd
need to get somebody with more practical Kerberos experience than me to
take care of that ...

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---
Reply to: