Bug#817870: openssh-server: GSSAPIKeyExchange is broken
Package: openssh-server
Version: 1:7.2p2-1
Severity: normal
Dear Maintainer,
After upgrading to 7.2, GSSAPIKeyExchange no longer works:
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p2 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Debian-1
debug1: match: OpenSSH_7.2p2 Debian-1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to host:22 as 'user'
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: Doing group exchange
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Disconnecting: Hash's MIC didn't verify
Turning off GSSAPIKeyExchange allows me to log in. The other direction (7.2
client, 7.1 server) works as expected. The same version of Kerberos libraries
are used on both sides.
Gabor
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (102, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.58
ii dpkg 1.18.4
ii init-system-helpers 1.29
ii libaudit1 1:2.4.5-1+b1
ii libc6 2.22-2
ii libcomerr2 1.42.13-1
ii libgssapi-krb5-2 1.13.2+dfsg-5
ii libkrb5-3 1.13.2+dfsg-5
ii libpam-modules 1.1.8-3.2
ii libpam-runtime 1.1.8-3.2
ii libpam0g 1.1.8-3.2
ii libselinux1 2.4-3+b1
ii libssl1.0.2 1.0.2g-1
ii libsystemd0 229-2
ii libwrap0 7.6.q-25
ii lsb-base 9.20160110
ii openssh-client 1:7.2p2-1
ii openssh-sftp-server 1:7.2p2-1
ii procps 2:3.3.11-3
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 6.0+20160213-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: false
Reply to: