bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-02 11:08 UTC
[Bug 2456] New: gssapi-keyex blocked by PermitRootLogin=without-password
https://bugzilla.mindrot.org/show_bug.cgi?id=2456 Bug ID: 2456 Summary: gssapi-keyex blocked by PermitRootLogin=without-password Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: emassop at google.com The release notes of 7.0 [1] suggest that root-login using GSSAPI should not be affected by the hardening of PermitRootLogin=without-password. (I am aware of the patch in 7.1 for bug 2445.) However, looking at the code [2], it seems that gssapi-keyex is no longer allowed. Is this intended? Last few lines of ssh -vvv, from failure with PermitRootLogin=without-password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug2: we sent a gssapi-keyex packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply Connection closed by ... Last few lines of ssh -vvv, from success with PermitRootLogin=yes: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug2: we sent a gssapi-keyex packet, wait for reply debug1: Authentication succeeded (gssapi-keyex). Authenticated to ... [1] http://www.openssh.com/txt/release-7.0 [2] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?sortby=rev&r1=text&tr1=1.111&r2=text&tr2=1.113 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-03 01:35 UTC
[Bug 2456] gssapi-keyex blocked by PermitRootLogin=without-password
https://bugzilla.mindrot.org/show_bug.cgi?id=2456 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- OpenSSH doesn't support gssapi-keyex, that's a third-party patch. Whomever is patching your sshd with it needs to adjust the patch to allow the gssapi-keyex authentication method. See the auth_root_allowed() function in auth.c. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-03 10:44 UTC
[Bug 2456] gssapi-keyex blocked by PermitRootLogin=without-password
https://bugzilla.mindrot.org/show_bug.cgi?id=2456 --- Comment #2 from Erik Massop <emassop at google.com> --- Aha! Thanks a lot, and sorry for wasting your time. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:41 UTC
[Bug 2456] gssapi-keyex blocked by PermitRootLogin=without-password
https://bugzilla.mindrot.org/show_bug.cgi?id=2456 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- Another request for gss-keyex inclusion
- [Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
- [Bug 1702] New: PreferredAuthentications setting doesn't work when spaces are used as documented
- intermittent problems obtaining shell with gssapi-with-mic
- Winbind, Kerberos, SSH and Single Sign On