[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#406458: ssh-krb5: GSSAPI authentication fails against DNS-round-robin hosts

Package: ssh-krb5
Version: 3.8.1p1-7sarge1
Severity: normal
Tags: patch

GSSAPI authentication insists on doing a second DNS lookup when trying
to figure what credentials to get, instead of using the IP of the currently-connected
server. For quickly-changing replies (e.g. Round-Robin
loadbalancing over DNS), this leads to getting a service ticket for the
wrong host.

This is filed in upstream openssh as
  http://bugzilla.mindrot.org/show_bug.cgi?id=1008
and includes patches (one simple, one more elaborate). Given that these
have been lingering for a while, please consider patching the Debian
version... our users really are affected by this.

TIA
Jan

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.6-xen
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ssh-krb5 depends on:
ii  adduser               3.63               Add and remove users and groups
ii  debconf               1.4.30.13          Debian configuration management sy
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libcomerr2            1.37-2sarge1       common error description library
ii  libkrb53              1.3.6-2sarge3      MIT Kerberos runtime libraries
ii  libpam-runtime        0.76-22            Runtime support for the PAM librar
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  libssl0.9.7           0.9.7e-3sarge4     SSL shared libraries
ii  libwrap0              7.6.dbs-8          Wietse Venema's TCP wrappers libra
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- debconf information excluded
Reply to: