Bug#406458: ssh-krb5: GSSAPI authentication fails against DNS-round-robin hosts
Package: ssh-krb5
Version: 3.8.1p1-7sarge1
Severity: normal
Tags: patch
GSSAPI authentication insists on doing a second DNS lookup when trying
to figure what credentials to get, instead of using the IP of the currently-connected
server. For quickly-changing replies (e.g. Round-Robin
loadbalancing over DNS), this leads to getting a service ticket for the
wrong host.
This is filed in upstream openssh as
http://bugzilla.mindrot.org/show_bug.cgi?id=1008
and includes patches (one simple, one more elaborate). Given that these
have been lingering for a while, please consider patching the Debian
version... our users really are affected by this.
TIA
Jan
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.6-xen
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ssh-krb5 depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2sarge1 common error description library
ii libkrb53 1.3.6-2sarge3 MIT Kerberos runtime libraries
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3sarge4 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information excluded
Reply to: