[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#817870: openssh-server: GSSAPIKeyExchange is broken

Package: openssh-server
Version: 1:7.2p2-1
Severity: normal

Dear Maintainer,

After upgrading to 7.2, GSSAPIKeyExchange no longer works:

debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p2 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Debian-1
debug1: match: OpenSSH_7.2p2 Debian-1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to host:22 as 'user'
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: Doing group exchange

debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Disconnecting: Hash's MIC didn't verify

Turning off GSSAPIKeyExchange allows me to log in. The other direction (7.2
client, 7.1 server) works as expected. The same version of Kerberos libraries
are used on both sides.

Gabor

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (102, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.58
ii  dpkg                   1.18.4
ii  init-system-helpers    1.29
ii  libaudit1              1:2.4.5-1+b1
ii  libc6                  2.22-2
ii  libcomerr2             1.42.13-1
ii  libgssapi-krb5-2       1.13.2+dfsg-5
ii  libkrb5-3              1.13.2+dfsg-5
ii  libpam-modules         1.1.8-3.2
ii  libpam-runtime         1.1.8-3.2
ii  libpam0g               1.1.8-3.2
ii  libselinux1            2.4-3+b1
ii  libssl1.0.2            1.0.2g-1
ii  libsystemd0            229-2
ii  libwrap0               7.6.q-25
ii  lsb-base               9.20160110
ii  openssh-client         1:7.2p2-1
ii  openssh-sftp-server    1:7.2p2-1
ii  procps                 2:3.3.11-3
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages openssh-server recommends:
ii  ncurses-term  6.0+20160213-1
ii  xauth         1:1.0.9-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: false
Reply to: