[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#817870: marked as done (openssh-server: GSSAPIKeyExchange is broken)

Your message dated Mon, 21 Mar 2016 12:37:28 +0000
with message-id <E1ahz5M-00085l-Va@franck.debian.org>
and subject line Bug#817870: fixed in openssh 1:7.2p2-2
has caused the Debian Bug report #817870,
regarding openssh-server: GSSAPIKeyExchange is broken
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
817870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817870
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:7.2p2-1
Severity: normal

Dear Maintainer,

After upgrading to 7.2, GSSAPIKeyExchange no longer works:

debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p2 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Debian-1
debug1: match: OpenSSH_7.2p2 Debian-1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to host:22 as 'user'
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: Doing group exchange

debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Disconnecting: Hash's MIC didn't verify

Turning off GSSAPIKeyExchange allows me to log in. The other direction (7.2
client, 7.1 server) works as expected. The same version of Kerberos libraries
are used on both sides.

Gabor

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (102, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.58
ii  dpkg                   1.18.4
ii  init-system-helpers    1.29
ii  libaudit1              1:2.4.5-1+b1
ii  libc6                  2.22-2
ii  libcomerr2             1.42.13-1
ii  libgssapi-krb5-2       1.13.2+dfsg-5
ii  libkrb5-3              1.13.2+dfsg-5
ii  libpam-modules         1.1.8-3.2
ii  libpam-runtime         1.1.8-3.2
ii  libpam0g               1.1.8-3.2
ii  libselinux1            2.4-3+b1
ii  libssl1.0.2            1.0.2g-1
ii  libsystemd0            229-2
ii  libwrap0               7.6.q-25
ii  lsb-base               9.20160110
ii  openssh-client         1:7.2p2-1
ii  openssh-sftp-server    1:7.2p2-1
ii  procps                 2:3.3.11-3
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages openssh-server recommends:
ii  ncurses-term  6.0+20160213-1
ii  xauth         1:1.0.9-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: false

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.2p2-2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 817870@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 21 Mar 2016 12:08:55 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.2p2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 817870
Changes:
 openssh (1:7.2p2-2) unstable; urgency=medium
 .
   * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
     the server end than the client (thanks, Damien Miller; closes: #817870,
     LP: #1558576).
Checksums-Sha1:
 be8d5c86594bc188606ddcf7d6d3572b6bca5f6f 2837 openssh_7.2p2-2.dsc
 aa018bc96d92d5bb2e69eda20af5671fbaa96e3f 149208 openssh_7.2p2-2.debian.tar.xz
Checksums-Sha256:
 86fe845499de556a003856437c178550236a7f1aec611977d6ca1e363462f72f 2837 openssh_7.2p2-2.dsc
 a603d3a17729c5229711ace3a5e3e00db10a15adec03a22c870711f07f4b07bd 149208 openssh_7.2p2-2.debian.tar.xz
Files:
 3fa0d4b0ef26823f11e743ca96ae307a 2837 net standard openssh_7.2p2-2.dsc
 61589ce3782cbce80817dc73837030b0 149208 net standard openssh_7.2p2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBVu/o7Tk1h9l9hlALAQiTphAAkz1cCWoSQ3Gnae02kuiI/AFwxnzLLsVU
dZex27RXdn3Er9dF83UHcyveRCBdeZWEloTwxuS2DfKz/e2LIIbXJqNUWU92BQcY
v3Lvf59e3e0WltrmrqdOviPmwd1ltouxEv9A53PzkkTTPjZkZRx6AmtqUi7OlV0h
PAMqHXxxu7rF+tSHPejBw4VGRjUNfnZAHq1VlLJvgFam53Ni2Udkwq8DAvgQ3fx3
lOyEYntTO76l2JMvEzUIoyedkSpEY8fgVw+3Ky+WGT7NQN5WcTE/hm59LE0UKIJt
zDciHMMZt4vgmaI/wdraYIC5DvVJB6n2jQSbEQDeaFqA+P5VwH9W/sT2HCxZTjJm
UbaGhOiGaeB5cEBzLMSFARAq1LECERY6Qw1qzaT5jXZiJnTjVMZuAL2cWsLgl7Cj
S0DAHDgvKOFyGkSBv/uWz6vTfpBGEaoZDYbxGemCYJO0AQsuqeF0J7lhFdwRn670
xWaKJTLNQR3IQKfO2iWsVUtLufBjPx+4/gvheTnGDqrspu6Dw1uPoeIAvLxCsOGP
qQimCYy/KY9RAO4tncmn/AzZg+K9XCGbd1cEUcdZ+2Zd87FYtuTUTDE1YAVSemKW
AZ0Utrdua2wkUfVvhk4sQBFrsJgHSSGIekwi4u715BObcQ/9AwRE3ehIQtEMslXI
nOrryvzfKrA=
=70R4
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: