FS#50054 - [openssh] Cannot connect to SSH server using Round Robin DNS with Kerberos

Attached to Project: Arch Linux
Opened by Konstantin Gizdov (kgizdov) - Friday, 15 July 2016, 17:10 GMT
Last edited by Gaetan Bisson (vesath) - Saturday, 29 October 2016, 19:17 GMT
Task Type Support Request
Category Upstream Bugs
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Arch's OpenSSH does not support the 'GSSAPITrustDNS' which prevents access to servers utilizing Round Robin DNS and Kerberos. There has been a patch upstream for this issue for many years now (https://bugzilla.mindrot.org/show_bug.cgi?id=1008) and many Linux distributions already implement it (tested on RedHat and derivatives, Debian and derivatives). Many public institutions now make use of Kerberos authentication and have one server that issues tokens and redirects individual connections to other machines based on load. Not having this patch means users essentially cannot connect in many of the cases and in others have to downgrade to SSH v1.

Additional info:
* package version(s) - OpenSSH 7.2p2-2, krb5 1.13.4-1
* config and/or log files etc.
ssh_config:

Host domain.com
User username
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Steps to reproduce:
> kinit username@DOMAIN.COM
> ssh -v username@domain.com
OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /home/username/.ssh/config
debug1: /home/username/.ssh/config line 1: Applying options for *
debug1: /home/username/.ssh/config line 30: Applying options for domain.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to domain.com [IP] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to domain.com:22 as 'username'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:9RdZ+nAMvKXztkyuirJrZYSuDSzmF2AGHN/ozPIIaVw
debug1: Host 'domain.com' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:9
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: An invalid name was supplied <<<<<<<<<<<<<< DNS issue here
Success

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering RSA public key: username@domain.com
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering RSA public key: username@domain.com
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/username/.ssh/id_dsa
debug1: Trying private key: /home/username/.ssh/id_ecdsa
debug1: Trying private key: /home/username/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive

This task depends upon

Closed by  Gaetan Bisson (vesath)
Saturday, 29 October 2016, 19:17 GMT
Reason for closing:  Won't implement
Comment by Gaetan Bisson (vesath) - Saturday, 29 October 2016, 19:16 GMT
I strive to keep our openssh package as close to vanilla as possible. This is a critical piece of software where deviating from upstream can be a real source of problems.
Besides I have not the time nor the interest to maintain patches (in particular the GSSAPI patch) against new upstream releases of openssh.

There is apparently a package on the AUR that does what you are looking for: https://aur.archlinux.org/packages/openssh-gssapi/
This is in my opinion the best place for something like this within the Arch community.

Cheers.

Loading...