rpms/openssh
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Repair canohost patch to allow gssapi to work when host is acessed via pipe

Browse Source 
proxy
This commit is contained in:
Jan F. Chadima 2009-11-02 12:56:26 +00:00
parent cd72fea100
commit 22f8c10386
2 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
openssh-4.3p2-gssapi-canohost.patch
View File

@ -1,22 +1,20 @@
Symptom: intermittent errors on GSSAPI authentication vs diff -up openssh-5.3p1/sshconnect2.c.canohost openssh-5.3p1/sshconnect2.c
machines on DNS loadbalancer, stupid client message "Generic Error", --- openssh-5.3p1/sshconnect2.c.canohost 2009-03-05 14:58:22.000000000 +0100
server-side debug complains about unknown principal. +++ openssh-5.3p1/sshconnect2.c 2009-11-02 11:55:00.000000000 +0100
@@ -542,6 +542,12 @@ userauth_gssapi(Authctxt *authctxt)
Comes from the fact that we resolve the generic DNS name once for
the connection, then again for getting the GSSAPI/Kerberos service
ticket. So the service ticket may be for a different host, if
the DNS alias switches in between the two resolves.
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
@@ -485,6 +485,7 @@
static u_int mech = 0; static u_int mech = 0;
OM_uint32 min; OM_uint32 min;
int ok = 0; int ok = 0;
+ const char* remotehost = get_canonical_hostname(1); + char* remotehost = NULL;
+ const char* canonicalhost = get_canonical_hostname(1);
+ if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 )
+ remotehost = authctxt->host;
+ else
+ remotehost = canonicalhost;
/* Try one GSSAPI method at a time, rather than sending them all at /* Try one GSSAPI method at a time, rather than sending them all at
* once. */ * once. */
@@ -497,7 +498,7 @@ @@ -554,7 +560,7 @@ userauth_gssapi(Authctxt *authctxt)
/* My DER encoding requires length<128 */ /* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 && if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt, ssh_gssapi_check_mechanism(&gssctxt,

5
openssh.spec
View File

@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 5.2p1 Version: 5.2p1
Release: 30%{?dist}%{?rescue_rel} Release: 31%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -466,6 +466,9 @@ fi
%endif %endif
%changelog %changelog
* Mon Nov 2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-31
- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
* Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-30 * Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-30
- Modify the init script to prevent it to hang during generating the keys (#515145) - Modify the init script to prevent it to hang during generating the keys (#515145)