openssh bugs - Mar 2016 - [Bug 2553] New: 7.2p2 on server breaks GSSAPI with older clients

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

            Bug ID: 2553
           Summary: 7.2p2 on server breaks GSSAPI with older clients
           Product: Portable OpenSSH
           Version: 7.2p1
          Hardware: amd64
                OS: Solaris
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: danmcd at omniti.com

I put 7.2p2 into OmniOS (an illumos distro... you don't call out
illumos yet, so I put it with Solaris for now... you need to fix that)
yesterday.  A GSSAPI user has reported that their GSSAPI authentication
breaks now.  Apparently I'm not the only one seeing it:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817870

I've yet to confirm/deny if a 7.2 client works with a 7.2 server.

One possibly relevant client-side-only pastebin:

http://fpaste.org/340879/81335561/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

--- Comment #1 from Dan McDonald <danmcd at omniti.com> ---
I build with these patches:

https://github.com/omniti-labs/omnios-build/tree/master/build/openssh/patches

(And the commit message is a bit wrong - they are updated for 7.2p2.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

--- Comment #2 from Dan McDonald <danmcd at omniti.com> ---
I build with these patches:

https://github.com/omniti-labs/omnios-build/tree/master/build/openssh/patches

(And the commit message is a bit wrong - they are updated for 7.2p2.)

>>> I've yet to confirm/deny if a 7.2 client works with a 7.2
server.
Confirmed that a 7.2 client works with a 7.2 server.  So perhaps it's a
dropped algorithm?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

--- Comment #3 from Dan McDonald <danmcd at omniti.com> ---
Pastebin with successful 7.2 client to 7.2 server session:

http://fpaste.org/340917/13698814/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
This:

debug1: Offering GSSAPI proposal:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g=
Isn't OpenSSH. It's a 3rd-party patch that we didn't write and
don't
maintain. You'll have to look to whoever wrote that patch for support.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

--- Comment #5 from Dan McDonald <danmcd at omniti.com> ---
(In reply to Damien Miller from comment #4)
> This:
> 
> debug1: Offering GSSAPI proposal:
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-
> toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g=> 
> Isn't OpenSSH. It's a 3rd-party patch that we didn't write and
don't
> maintain. You'll have to look to whoever wrote that patch for
> support.
Thank you for the clarification, and sorry for the disturbance.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2553

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.