rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

- fix gssapi with DNS loadbalanced clusters (#216857)

Browse Source
This commit is contained in:
Tomáš Mráz 2006-11-30 10:50:12 +00:00
parent d63dc67db7
commit 914284ff3f
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
openssh-4.3p2-gssapi-canohost.patch Normal file
View File

@ -0,0 +1,27 @@
Symptom: intermittent errors on GSSAPI authentication vs
machines on DNS loadbalancer, stupid client message "Generic Error",
server-side debug complains about unknown principal.
Comes from the fact that we resolve the generic DNS name once for
the connection, then again for getting the GSSAPI/Kerberos service
ticket. So the service ticket may be for a different host, if
the DNS alias switches in between the two resolves.
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
@@ -485,6 +485,7 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char* remotehost = get_canonical_hostname(1);
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -497,7 +498,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], remotehost)) {
ok = 1; /* Mechanism works */
} else {
mech++;

7
openssh.spec
View File

@ -61,7 +61,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 4.3p2 Version: 4.3p2
Release: 13%{?dist}%{?rescue_rel} Release: 14%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@ -98,6 +98,7 @@ Patch45: openssh-4.3p2-cve-2006-4924.patch
Patch46: openssh-3.9p1-cve-2006-5051.patch Patch46: openssh-3.9p1-cve-2006-5051.patch
Patch47: openssh-4.3p2-cve-2006-5794.patch Patch47: openssh-4.3p2-cve-2006-5794.patch
Patch48: openssh-4.3p2-pam-session.patch Patch48: openssh-4.3p2-pam-session.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch
License: BSD License: BSD
Group: Applications/Internet Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@ -233,6 +234,7 @@ an X11 passphrase dialog for OpenSSH.
%patch46 -p1 -b .sig-no-cleanup %patch46 -p1 -b .sig-no-cleanup
%patch47 -p1 -b .verify %patch47 -p1 -b .verify
%patch48 -p1 -b .pam-sesssion %patch48 -p1 -b .pam-sesssion
%patch49 -p1 -b .canohost
autoreconf autoreconf
@ -477,6 +479,9 @@ fi
%endif %endif
%changelog %changelog
* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14
- fix gssapi with DNS loadbalanced clusters (#216857)
* Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13 * Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13
- improved pam_session patch so it doesn't regress, the patch is necessary - improved pam_session patch so it doesn't regress, the patch is necessary
for the pam_session_close to be called correctly as uid 0 for the pam_session_close to be called correctly as uid 0