FS#50054 - [openssh] Cannot connect to SSH server using Round Robin DNS with Kerberos
Attached to Project:
Arch Linux
Opened by Konstantin Gizdov (kgizdov) - Friday, 15 July 2016, 17:10 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 29 October 2016, 19:17 GMT
Opened by Konstantin Gizdov (kgizdov) - Friday, 15 July 2016, 17:10 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 29 October 2016, 19:17 GMT
|
Details
Description:
Arch's OpenSSH does not support the 'GSSAPITrustDNS' which prevents access to servers utilizing Round Robin DNS and Kerberos. There has been a patch upstream for this issue for many years now (https://bugzilla.mindrot.org/show_bug.cgi?id=1008) and many Linux distributions already implement it (tested on RedHat and derivatives, Debian and derivatives). Many public institutions now make use of Kerberos authentication and have one server that issues tokens and redirects individual connections to other machines based on load. Not having this patch means users essentially cannot connect in many of the cases and in others have to downgrade to SSH v1. Additional info: * package version(s) - OpenSSH 7.2p2-2, krb5 1.13.4-1 * config and/or log files etc. ssh_config: Host domain.com User username GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Steps to reproduce: > kinit username@DOMAIN.COM > ssh -v username@domain.com OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016 debug1: Reading configuration data /home/username/.ssh/config debug1: /home/username/.ssh/config line 1: Applying options for * debug1: /home/username/.ssh/config line 30: Applying options for domain.com debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to domain.com [IP] port 22. debug1: Connection established. debug1: identity file /home/username/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: Authenticating to domain.com:22 as 'username' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:9RdZ+nAMvKXztkyuirJrZYSuDSzmF2AGHN/ozPIIaVw debug1: Host 'domain.com' is known and matches the RSA host key. debug1: Found key in /home/username/.ssh/known_hosts:9 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: An invalid name was supplied <<<<<<<<<<<<<< DNS issue here Success debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/username/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Offering RSA public key: username@domain.com debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Offering RSA public key: username@domain.com debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Trying private key: /home/username/.ssh/id_dsa debug1: Trying private key: /home/username/.ssh/id_ecdsa debug1: Trying private key: /home/username/.ssh/id_ed25519 debug1: Next authentication method: keyboard-interactive |
This task depends upon
Closed by Gaetan Bisson (vesath)
Saturday, 29 October 2016, 19:17 GMT
Reason for closing: Won't implement
Saturday, 29 October 2016, 19:17 GMT
Reason for closing: Won't implement
Besides I have not the time nor the interest to maintain patches (in particular the GSSAPI patch) against new upstream releases of openssh.
There is apparently a package on the AUR that does what you are looking for: https://aur.archlinux.org/packages/openssh-gssapi/
This is in my opinion the best place for something like this within the Arch community.
Cheers.