Bug 2553

Summary: 7.2p2 on server breaks GSSAPI with older clients
Product: Portable OpenSSH Reporter: Dan McDonald <danmcd>
Component: Kerberos supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: normal CC: djm
Priority: P5    
Version: 7.2p1   
Hardware: amd64   
OS: Solaris   

Description Dan McDonald 2016-03-17 00:58:14 AEDT 
I put 7.2p2 into OmniOS (an illumos distro... you don't call out illumos yet, so I put it with Solaris for now... you need to fix that) yesterday.  A GSSAPI user has reported that their GSSAPI authentication breaks now.  Apparently I'm not the only one seeing it:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817870

I've yet to confirm/deny if a 7.2 client works with a 7.2 server.

One possibly relevant client-side-only pastebin:

http://fpaste.org/340879/81335561/
Comment 1 Dan McDonald 2016-03-17 00:59:51 AEDT 
I build with these patches:

https://github.com/omniti-labs/omnios-build/tree/master/build/openssh/patches

(And the commit message is a bit wrong - they are updated for 7.2p2.)
Comment 2 Dan McDonald 2016-03-17 01:01:31 AEDT 
I build with these patches:

https://github.com/omniti-labs/omnios-build/tree/master/build/openssh/patches

(And the commit message is a bit wrong - they are updated for 7.2p2.)


>>> I've yet to confirm/deny if a 7.2 client works with a 7.2 server.

Confirmed that a 7.2 client works with a 7.2 server.  So perhaps it's a dropped algorithm?
Comment 3 Dan McDonald 2016-03-17 01:05:30 AEDT 
Pastebin with successful 7.2 client to 7.2 server session:

http://fpaste.org/340917/13698814/
Comment 4 Damien Miller 2016-03-18 04:58:48 AEDT 
This:

debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==

Isn't OpenSSH. It's a 3rd-party patch that we didn't write and don't maintain. You'll have to look to whoever wrote that patch for support.
Comment 5 Dan McDonald 2016-03-18 06:48:02 AEDT 
(In reply to Damien Miller from comment #4)
> This:
> 
> debug1: Offering GSSAPI proposal:
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-
> toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
> 
> Isn't OpenSSH. It's a 3rd-party patch that we didn't write and don't
> maintain. You'll have to look to whoever wrote that patch for
> support.

Thank you for the clarification, and sorry for the disturbance.
Comment 6 Damien Miller 2016-08-02 10:41:50 AEST 
Close all resolved bugs after 7.3p1 release