Bug#743624: openssh-client: CanonicalizeHostname and GSSAPIDelegateCredentials
Package: openssh-client
Version: 1:6.6p1-2
Severity: normal
Starting with version 6.6 ssh re-reads ssh_config on CanonicalizeHostname:
http://www.openssh.com/txt/release-6.6
* ssh(1): if hostname canonicalisation is enabled and results in the
destination hostname being changed, then re-parse ssh_config(5) files
using the new destination hostname. This gives 'Host' and 'Match'
directives that use the expanded hostname a chance to be applied.
This works fine except GSSAPIDelegateCredentials in /etc/ssh/ssh_config.
The buggy combination is:
/etc/ssh/ssh_config:
host *
GSSAPIDelegateCredentials no
~/.ssh/config:
host *
CanonicalizeHostname yes
CanonicalDomains mydomain.com
host foo.mydomain.com
GSSAPIKeyExchange yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
% ssh foo klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_<UID>)
If I comment out GSSAPIDelegateCredentials in /etc/ssh/ssh_config or do
ssh foo.mydomain.com I get forwarded credentials.
--
sergio.
Reply to: