From 914284ff3f14542732498826c3a169663b713815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Thu, 30 Nov 2006 10:50:12 +0000 Subject: [PATCH] - fix gssapi with DNS loadbalanced clusters (#216857) --- openssh-4.3p2-gssapi-canohost.patch | 27 +++++++++++++++++++++++++++ openssh.spec | 7 ++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 openssh-4.3p2-gssapi-canohost.patch diff --git a/openssh-4.3p2-gssapi-canohost.patch b/openssh-4.3p2-gssapi-canohost.patch new file mode 100644 index 0000000..190c1dd --- /dev/null +++ b/openssh-4.3p2-gssapi-canohost.patch @@ -0,0 +1,27 @@ +Symptom: intermittent errors on GSSAPI authentication vs +machines on DNS loadbalancer, stupid client message "Generic Error", +server-side debug complains about unknown principal. + +Comes from the fact that we resolve the generic DNS name once for +the connection, then again for getting the GSSAPI/Kerberos service +ticket. So the service ticket may be for a different host, if +the DNS alias switches in between the two resolves. +--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100 ++++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100 +@@ -485,6 +485,7 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char* remotehost = get_canonical_hostname(1); + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -497,7 +498,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], remotehost)) { + ok = 1; /* Mechanism works */ + } else { + mech++; diff --git a/openssh.spec b/openssh.spec index deae1a5..fde0792 100644 --- a/openssh.spec +++ b/openssh.spec @@ -61,7 +61,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 4.3p2 -Release: 13%{?dist}%{?rescue_rel} +Release: 14%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig @@ -98,6 +98,7 @@ Patch45: openssh-4.3p2-cve-2006-4924.patch Patch46: openssh-3.9p1-cve-2006-5051.patch Patch47: openssh-4.3p2-cve-2006-5794.patch Patch48: openssh-4.3p2-pam-session.patch +Patch49: openssh-4.3p2-gssapi-canohost.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot @@ -233,6 +234,7 @@ an X11 passphrase dialog for OpenSSH. %patch46 -p1 -b .sig-no-cleanup %patch47 -p1 -b .verify %patch48 -p1 -b .pam-sesssion +%patch49 -p1 -b .canohost autoreconf @@ -477,6 +479,9 @@ fi %endif %changelog +* Thu Nov 30 2006 Tomas Mraz - 4.3p2-14 +- fix gssapi with DNS loadbalanced clusters (#216857) + * Tue Nov 28 2006 Tomas Mraz - 4.3p2-13 - improved pam_session patch so it doesn't regress, the patch is necessary for the pam_session_close to be called correctly as uid 0