- fix gssapi with DNS loadbalanced clusters (#216857)
This commit is contained in:
Tomáš Mráz
parent
d63dc67db7
commit
914284ff3f
27
openssh-4.3p2-gssapi-canohost.patch
Normal file
27
openssh-4.3p2-gssapi-canohost.patch
Normal file
@ -0,0 +1,27 @@
|
||||
Symptom: intermittent errors on GSSAPI authentication vs
|
||||
machines on DNS loadbalancer, stupid client message "Generic Error",
|
||||
server-side debug complains about unknown principal.
|
||||
|
||||
Comes from the fact that we resolve the generic DNS name once for
|
||||
the connection, then again for getting the GSSAPI/Kerberos service
|
||||
ticket. So the service ticket may be for a different host, if
|
||||
the DNS alias switches in between the two resolves.
|
||||
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
|
||||
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
|
||||
@@ -485,6 +485,7 @@
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
+ const char* remotehost = get_canonical_hostname(1);
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
@@ -497,7 +498,7 @@
|
||||
/* My DER encoding requires length<128 */
|
||||
if (gss_supported->elements[mech].length < 128 &&
|
||||
ssh_gssapi_check_mechanism(&gssctxt,
|
||||
- &gss_supported->elements[mech], authctxt->host)) {
|
||||
+ &gss_supported->elements[mech], remotehost)) {
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@ -61,7 +61,7 @@
|
||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 4.3p2
|
||||
Release: 13%{?dist}%{?rescue_rel}
|
||||
Release: 14%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
|
||||
@ -98,6 +98,7 @@ Patch45: openssh-4.3p2-cve-2006-4924.patch
|
||||
Patch46: openssh-3.9p1-cve-2006-5051.patch
|
||||
Patch47: openssh-4.3p2-cve-2006-5794.patch
|
||||
Patch48: openssh-4.3p2-pam-session.patch
|
||||
Patch49: openssh-4.3p2-gssapi-canohost.patch
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
|
||||
@ -233,6 +234,7 @@ an X11 passphrase dialog for OpenSSH.
|
||||
%patch46 -p1 -b .sig-no-cleanup
|
||||
%patch47 -p1 -b .verify
|
||||
%patch48 -p1 -b .pam-sesssion
|
||||
%patch49 -p1 -b .canohost
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -477,6 +479,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14
|
||||
- fix gssapi with DNS loadbalanced clusters (#216857)
|
||||
|
||||
* Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13
|
||||
- improved pam_session patch so it doesn't regress, the patch is necessary
|
||||
for the pam_session_close to be called correctly as uid 0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user