openssh bugs - Sep 2015 - [Bug 2456] New: gssapi-keyex blocked by PermitRootLogin=without-password

https://bugzilla.mindrot.org/show_bug.cgi?id=2456

            Bug ID: 2456
           Summary: gssapi-keyex blocked by
                    PermitRootLogin=without-password
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: emassop at google.com

The release notes of 7.0 [1] suggest that root-login using GSSAPI
should not be affected by the hardening of
PermitRootLogin=without-password. (I am aware of the patch in 7.1 for
bug 2445.) However, looking at the code [2], it seems that gssapi-keyex
is no longer allowed.

Is this intended?


Last few lines of ssh -vvv, from failure with
PermitRootLogin=without-password:

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred:
gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by ...


Last few lines of ssh -vvv, from success with PermitRootLogin=yes:

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentication succeeded (gssapi-keyex).
Authenticated to ...



[1] http://www.openssh.com/txt/release-7.0
[2]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?sortby=rev&r1=text&tr1=1.111&r2=text&tr2=1.113

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2456

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
OpenSSH doesn't support gssapi-keyex, that's a third-party patch. 

Whomever is patching your sshd with it needs to adjust the patch to
allow the gssapi-keyex authentication method. See the
auth_root_allowed() function in auth.c.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2456

--- Comment #2 from Erik Massop <emassop at google.com> ---
Aha! Thanks a lot, and sorry for wasting your time.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2456

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.