[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053822: openssh-client: consider patch for allow GSSAPI to use default ccache or unique



Package: openssh-client
Version: 1:9.4p1-1
Severity: wishlist


Hey there.

I've recently filed:
https://github.com/openssh-gsskex/openssh-gsskex/issues/24
(not sure whether this is actually the current upstream, if there's
any at all, of Debian's GSSAPI patch).

In short, the problem is, that the current patch doesn't work well
when one uses kerberos with multiple realms (or perhaps even multiple
principals withon one real).
More details at the link above.


I've now seen that there may even already be a solution for that.

https://github.com/openssh-gsskex/openssh-gsskex/commit/d26622b7e0f2a9752cb8acb595d0265bd03aee0d
mentions various other patches:
> [2] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-kuserok.patch
> [3] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-GSSAPIEnablek5users.patch
> [4] https://bugzilla.mindrot.org/show_bug.cgi?id=2775

[4] reads as if it would be what I'm looking for. Not sure whether
Debian would benefit from [2] and [3].

Fedora seem to have a different patch for this:
https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-gssapi-new-unique.patch


I have no idea about the security of these patches ;-)

Do you think it would be possible to merge one of them?


Thanks,
Chris.


Reply to: