2456 – gssapi-keyex blocked by PermitRootLogin=without-password

Bug 2456 - gssapi-keyex blocked by PermitRootLogin=without-password

Summary: gssapi-keyex blocked by PermitRootLogin=without-password

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.1p1
Hardware:	Other Linux

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-02 21:08 AEST by Erik Massop
Modified:	2016-08-02 10:41 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Massop 2015-09-02 21:08:42 AEST

The release notes of 7.0 [1] suggest that root-login using GSSAPI should not be affected by the hardening of PermitRootLogin=without-password. (I am aware of the patch in 7.1 for bug 2445.) However, looking at the code [2], it seems that gssapi-keyex is no longer allowed.

Is this intended?


Last few lines of ssh -vvv, from failure with PermitRootLogin=without-password:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by ...


Last few lines of ssh -vvv, from success with PermitRootLogin=yes:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentication succeeded (gssapi-keyex).
Authenticated to ...



[1] http://www.openssh.com/txt/release-7.0
[2] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?sortby=rev&r1=text&tr1=1.111&r2=text&tr2=1.113

Comment 1 Damien Miller 2015-09-03 11:35:47 AEST

OpenSSH doesn't support gssapi-keyex, that's a third-party patch. 

Whomever is patching your sshd with it needs to adjust the patch to allow the gssapi-keyex authentication method. See the auth_root_allowed() function in auth.c.

Comment 2 Erik Massop 2015-09-03 20:44:55 AEST

Aha! Thanks a lot, and sorry for wasting your time.

Comment 3 Damien Miller 2016-08-02 10:41:36 AEST

Close all resolved bugs after 7.3p1 release