Bugzilla – Attachment 1202 Details for
Bug 1008
GSSAPI authentication fails with Round Robin DNS hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
(simplified patch - no config option)
openssh-4.3-gssapi-canonical-hostname.patch (text/plain), 1.04 KB, created by
Jan Iven
on 2006-10-24 02:17:48 AEST
(
hide
)
Description:
(simplified patch - no config option)
Filename:
MIME Type:
Creator:
Jan Iven
Created:
2006-10-24 02:17:48 AEST
Size:
1.04 KB
patch
obsolete
>Symptom: intermittent errors on GSSAPI authentication vs >machines on DNS loadbalancer, stupid client message "Generic Error", >server-side debug complains about unknown principal. > >Comes from the fact that we resolve the generic DNS name once for >the connection, then again for getting the GSSAPI/Kerberos service >ticket. So the service ticket may be for a different host, if >the DNS alias switches in between the two resolves. > >--- openssh-4.3p2/sshconnect2.c.orig 2006-10-23 14:11:58.000000000 +0200 >+++ openssh-4.3p2/sshconnect2.c 2006-10-23 14:21:15.000000000 +0200 >@@ -500,6 +500,7 @@ > static u_int mech = 0; > OM_uint32 min; > int ok = 0; >+ const char* remotehost = get_canonical_hostname(1); > > /* Try one GSSAPI method at a time, rather than sending them all at > * once. */ >@@ -517,7 +518,7 @@ > /* My DER encoding requires length<128 */ > if (gss_supported->elements[mech].length < 128 && > !GSS_ERROR(ssh_gssapi_import_name(gssctxt, >- authctxt->host))) { >+ remotehost))) { > ok = 1; /* Mechanism works */ > } else { > mech++;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1202">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1008
:
1177
| 1202