[Bug 874439] [NEW] canonicalize fallback bug in krb5-user prevents ssh with older KDC

Jeremy Wolcott 874439 at bugs.launchpad.net
Fri Oct 14 17:01:01 UTC 2011


Public bug reported:

Hi,

Upgrading from Natty to Oneiric upgrades krb5-user from version 1.8.3
+dfsg-5ubuntu2.1 to 1.9.1+dfsg-1ubuntu1.  Immediately before the
upgrade, I was able to SSH (to a network that uses an older KDC) using
MIT Kerberos.  Immediately following the upgrade, the connection fails
with the following in the verbose output of SSH:

debug1: Unspecified GSS failure.  Minor code may provide more information
KDC can't fulfill requested option

Googling seems to indicate that this is a known bug in the 1.9.1 series
of the Kerberos library, and that it has been resolved for 1.9.2.
Compare the bug reports in RHL
(https://bugzilla.redhat.com/show_bug.cgi?id=713518) and Archlinux
(https://bugs.archlinux.org/task/25515), which both include a patch.  I
couldn't find any evidence that Debian has moved to 1.9.2--or applied
this patch--yet, but I don't fully understand the mechanics of how
updates trickle down from them.

This is a fairly urgent bug because it completely prevents Kerberized
SSH connection to any nodes using an older KDC.

Thanks.

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/874439

Title:
  canonicalize fallback bug in krb5-user prevents ssh with older KDC

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/874439/+subscriptions



More information about the Ubuntu-server-bugs mailing list