[Bug 2053146] Re: openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is slightly wrong

ake sandgren 2053146 at bugs.launchpad.net
Mon Feb 19 14:51:11 UTC 2024 

We have this in sshd_config
===
Match User root
        GSSAPIAuthentication yes
        PasswordAuthentication no
        KbdInteractiveAuthentication no
        PubkeyAuthentication no
        AuthenticationMethods gssapi-keyex gssapi-with-mic
===

Grab a kerberos root ticket and do ssh as root to a node with that config, it will spew out
===
error: Disabled method "gssapi-keyex" in AuthenticationMethods list "gssapi-keyex"
Authentication methods list "gssapi-keyex" contains disabled method, skipping
===
in the syslog.

It's as simple as I can make it.

But as I said before, this is an obvious bug in the patch since it
hasn't been updated to match the change in auth.h

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2053146

Title:
  openssh 8.9p1 for Jammy auth2-gss patch for gssapi-keyex method is
  slightly wrong

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  The Authmethod struct now have 4 entries but the initialization of the
  method_gsskeyex in the debian/patches/gssapi.patch only have 3
  entries.

  The struct was changed in upstream commit dbb339f015c33d63484261d140c84ad875a9e548 as
  ===
  @@ -104,7 +104,8 @@ struct Authctxt {
   
   struct Authmethod {
          char    *name;
  -       int     (*userauth)(struct ssh *);
  +       char    *synonym;
  +       int     (*userauth)(struct ssh *, const char *);
          int     *enabled;
   };

  ===

  The incorrect code does
  ===
  +Authmethod method_gsskeyex = {
  +       "gssapi-keyex",
  +       userauth_gsskeyex,
  +       &options.gss_authentication
  +};
  ===
  but should have a NULL between the "gssapi-keyex" string and userauth_gsskeyex

  
  This is now (change from Focal) causing gssapi-keyex to be disabled.

  
  ===
  lsb_release -rd
  Description:	Ubuntu 22.04.3 LTS
  Release:	22.04

  ===
  apt-cache policy openssh-server
  openssh-server:
    Installed: 1:8.9p1-3ubuntu0.6
    Candidate: 1:8.9p1-3ubuntu0.6
    Version table:
   *** 1:8.9p1-3ubuntu0.6 500
          500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-updates/main amd64 Packages
          500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy-security/main amd64 Packages
          100 /var/lib/dpkg/status
       1:8.9p1-3 500
          500 http://faiserver.hpc2n.umu.se/mirrors/ubuntu/ubuntu jammy/main amd64 Packages

  ===

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146/+subscriptions

More information about the foundations-bugs mailing list