From d2767e57683e79d3a7204ebc564e99083c7f191b Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Mon, 2 Nov 2009 11:29:48 +0000 Subject: [PATCH] Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy --- openssh-4.3p2-gssapi-canohost.patch | 24 +++++++++++------------- openssh.spec | 5 ++++- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/openssh-4.3p2-gssapi-canohost.patch b/openssh-4.3p2-gssapi-canohost.patch index 190c1dd..2ad07d5 100644 --- a/openssh-4.3p2-gssapi-canohost.patch +++ b/openssh-4.3p2-gssapi-canohost.patch @@ -1,22 +1,20 @@ -Symptom: intermittent errors on GSSAPI authentication vs -machines on DNS loadbalancer, stupid client message "Generic Error", -server-side debug complains about unknown principal. - -Comes from the fact that we resolve the generic DNS name once for -the connection, then again for getting the GSSAPI/Kerberos service -ticket. So the service ticket may be for a different host, if -the DNS alias switches in between the two resolves. ---- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100 -+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100 -@@ -485,6 +485,7 @@ +diff -up openssh-5.3p1/sshconnect2.c.canohost openssh-5.3p1/sshconnect2.c +--- openssh-5.3p1/sshconnect2.c.canohost 2009-03-05 14:58:22.000000000 +0100 ++++ openssh-5.3p1/sshconnect2.c 2009-11-02 11:55:00.000000000 +0100 +@@ -542,6 +542,12 @@ userauth_gssapi(Authctxt *authctxt) static u_int mech = 0; OM_uint32 min; int ok = 0; -+ const char* remotehost = get_canonical_hostname(1); ++ char* remotehost = NULL; ++ const char* canonicalhost = get_canonical_hostname(1); ++ if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 ) ++ remotehost = authctxt->host; ++ else ++ remotehost = canonicalhost; /* Try one GSSAPI method at a time, rather than sending them all at * once. */ -@@ -497,7 +498,7 @@ +@@ -554,7 +560,7 @@ userauth_gssapi(Authctxt *authctxt) /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && ssh_gssapi_check_mechanism(&gssctxt, diff --git a/openssh.spec b/openssh.spec index 7fdd463..f93dee8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -69,7 +69,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.3p1 -Release: 6%{?dist}%{?rescue_rel} +Release: 7%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -521,6 +521,9 @@ fi %endif %changelog +* Mon Nov 2 2009 Jan F. Chadima - 5.3p1-7 +- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849) + * Thu Oct 29 2009 Jan F. Chadima - 5.3p1-6 - Modify the init script to prevent it to hang during generating the keys (#515145)