similar to: support authentication indicators in GSSAPI #500

Dear colleagues, Some time ago Alex Bokovoy proposed a patch [1] to implement support authentication indicators in GSSAPI (RFC 6680). This patch got positive feedback both from libssh people and from our team. It also fixes the long-term lack of functionality [2]. May I ask upstream to consider the proposed patch? [1] https://github.com/openssh/openssh-portable/pull/500 [2]

http://bugzilla.mindrot.org/show_bug.cgi?id=1218 Summary: GSSAPI client code permits SPNEGO usage Product: Portable OpenSSH Version: 4.3p2 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: bitbucket at mindrot.org ReportedBy:

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #5 from simon at sxw.org.uk 2006-08-19 08:28 ------- There isn't an easy fix for this, at

https://bugzilla.mindrot.org/show_bug.cgi?id=1008 --- Comment #16 from kgizdov <mindrot at kge.pw> --- Apparently, some good Samaritan already made patches compatible with the current version of OpenSSH. There is a package on the Arch User Repo (openssh-gssapi 7.1p2-1) that implements them. Here are the patches themselves:

Hi all, We have 2 mail servers sitting behind linux-HA machines.The mail servers are currently running dovecot 1.0rc2. Looking to enable GSSAPI authentication, I exported krb keytabs for imap/node01.domain at REALM and imap/node02.domain at REALM for both mail servers. However, clients are connecting to mail.domain.com, which results in a mismatch as far as the keytab is concerned (and rightly

hi there I noticed the following behaviour with auth backend pam and "args session=yes *" configuration: - login with "plain": pam session gets opend - login with "gssapi" (kerberos): pam session isn't opend (-> no $HOME will be created) Is this a bug or just a limitation by GSSAPI (maybe gssapi works around PAM)? - Thomas Dovecot Versions seen this: -

This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a FreeBSD 7.2 server, and then spent 3 hours trying to figure out why GSSAPI authentication had broken. It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. <http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b> This

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> If your dovecot is recent enough you can use mechanisms setting on passdb block. See https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/ <br> </div> <blockquote type="cite"> <div>

Hello, I have made GSSAPI authentication for PuTTY 0.54. This patch is available here: http://sweb.cz/v_t_m/ Vaclav ____________________________________________________________ Vyzkousejte.. Kontaktni cocky znacky ACUVUE zajistuji vynikajici pohodli, optickou kvalitu a zdravy zpusob noseni kontaktnich cocek. Vice na www.acuvue.cz.

http://bugzilla.mindrot.org/show_bug.cgi?id=928 Summary: Kerberos/GSSAPI authentication does not work with multihomed hosts Product: Portable OpenSSH Version: -current Platform: Other URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=108008882620573 OS/Version: All

Hi there, I am trying to make a paranoid IMAPS/Submission server. I'm running Ubuntu 20.04 with Dovecot 2.3.7.2 (3c910f64b). I mostly use my mail-server from the LAN/Realm where I have GSSAPI working well for both IMAPS and Submission and most other services But... I would like to be able to configure Dovecot to require mobile ("external") devices to authenticate using client

https://bugzilla.mindrot.org/show_bug.cgi?id=928 --- Comment #9 from Darren Tucker <dtucker at zip.com.au> 2010-01-11 17:11:06 EST --- Created an attachment (id=1775) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1775) sshd-gssapi-multihomed.patch I updated patch #1182 to OpenBSD current and fixed a few minor whitespace things. I also removed this warning from the man page:

In the release notes for v1.2.2, Timo said: > Found and fixes several v1.2-specific bugs. Hopefully it's now stable > for most people's usage. > > * GSSAPI: More changes to authentication. Hopefully good now. > What were the GSSAPI changes? I am having problems with _some_ of my users using GSSAPI auth. I am using version 1.2.1. The client (thunderbird) reports that the

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 ------- Additional Comments From dleonard at vintela.com 2005-06-08 22:16 ------- a workaround at http://blog.macnews.de/unspecific/stories/4581/ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 ------- Comment #7 from jan.iven at cern.ch 2006-10-24 02:17 ------- Created an attachment (id=1202) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1202&action=view) (simplified patch - no config option) Given that the GSSAPI library will (unconditionally) use DNS anyway, perhaps we don't need yet another client-side config

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 --- Comment #9 from Simon Wilkinson <simon at sxw.org.uk> 2007-09-15 20:59:25 --- I've noted this on the mailing list too, but just for the record, the simplified patch is incorrect. GSSAPI != Kerberos, and even within the Kerberos space, some vendors ship with canonicalisation disabled. If we are going to ship a workaround for

https://bugzilla.mindrot.org/show_bug.cgi?id=928 Mike Frysinger <vapier at gentoo.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vapier at gentoo.org --- Comment #39 from Mike Frysinger <vapier at gentoo.org> --- Created attachment 2571

https://bugzilla.mindrot.org/show_bug.cgi?id=1008 Colin Watson <cjwatson at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cjwatson at debian.org --- Comment #15 from Colin Watson <cjwatson at debian.org> --- I think it would make

https://bugzilla.mindrot.org/show_bug.cgi?id=1008 --- Comment #17 from Darren Tucker <dtucker at zip.com.au> --- (In reply to kgizdov from comment #16) > I hope this helps. Not really. Those have a lot of other changes (mostly the GSSAPI key exchange support) and it still uses get_canonical_hostname() which is currently not available in the client. According to Damien reasoning

On Sun, 2020-05-17 at 09:09 +0900, Hiroo Ono (????) via samba wrote: > Hello, > > I am running samba 4.11.8 as Active Directory DC and a member server. > > I wanted to authenticate cyrus-imapd by GSSAPI, and found this > mail > https://lists.samba.org/archive/samba-technical/2013-April/091429.html > > I tried to run the cyrus-imap server on a member server, which has