Bug#743624: openssh-client: CanonicalizeHostname and GSSAPIDelegateCredentials

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#743624: openssh-client: CanonicalizeHostname and GSSAPIDelegateCredentials
From: mailbox@sergio.spb.ru
Date: Fri, 04 Apr 2014 15:00:09 +0400
Message-id: <[🔎] 20140404110009.3029.13895.reportbug@transient.oktetlabs.ru>
Reply-to: mailbox@sergio.spb.ru, 743624@bugs.debian.org

Package: openssh-client
Version: 1:6.6p1-2
Severity: normal

Starting with version 6.6 ssh re-reads ssh_config on CanonicalizeHostname:

http://www.openssh.com/txt/release-6.6

 * ssh(1): if hostname canonicalisation is enabled and results in the
   destination hostname being changed, then re-parse ssh_config(5) files
   using the new destination hostname. This gives 'Host' and 'Match'
   directives that use the expanded hostname a chance to be applied.


This works fine except GSSAPIDelegateCredentials in /etc/ssh/ssh_config.
The buggy combination is:

/etc/ssh/ssh_config:
host *
  GSSAPIDelegateCredentials no


~/.ssh/config:
host *
  CanonicalizeHostname yes
  CanonicalDomains mydomain.com
 
host foo.mydomain.com
  GSSAPIKeyExchange yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIRenewalForcesRekey yes


% ssh foo klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_<UID>)


If I comment out GSSAPIDelegateCredentials in /etc/ssh/ssh_config or do
ssh foo.mydomain.com I get forwarded credentials.

-- 
sergio.

Reply to:

Prev by Date: Processed: close 743434
Next by Date: Processed: found 742513 in 1:5.5p1-6
Previous by thread: Processed: close 743434
Next by thread: Processed: found 742513 in 1:5.5p1-6
Index(es):
- Date
- Thread