diff --git a/openssh-8.7p1-gssapi-auth.patch b/openssh-8.7p1-gssapi-auth.patch new file mode 100644 index 0000000..6908cad --- /dev/null +++ b/openssh-8.7p1-gssapi-auth.patch @@ -0,0 +1,20 @@ +diff --color -rup a/monitor.c b/monitor.c +--- a/monitor.c 2022-07-11 15:11:28.146863144 +0200 ++++ b/monitor.c 2022-07-11 15:15:35.726655877 +0200 +@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s + if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { + auth_log(ssh, authenticated, partial, + auth_method, auth_submethod); +- if (!partial && !authenticated) ++ if (!partial && !authenticated) { ++#ifdef GSSAPI ++ /* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled. ++ * We have to reenable it to try again for gssapi-keyex */ ++ if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex) ++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); ++#endif + authctxt->failures++; ++ } + if (authenticated || partial) { + auth2_update_session_info(authctxt, + auth_method, auth_submethod); diff --git a/openssh.spec b/openssh.spec index 61967bc..7610156 100644 --- a/openssh.spec +++ b/openssh.spec @@ -236,6 +236,10 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch # 6c31ba10e97b6953c4f325f526f3e846dfea647a # 322964f8f2e9c321e77ebae1e4d2cd0ccc5c5a0b Patch1003: openssh-8.7p1-mem-leak.patch +# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures +# upstream MR: +# https://github.com/openssh-gsskex/openssh-gsskex/pull/21 +Patch1004: openssh-8.7p1-gssapi-auth.patch License: BSD Requires: /sbin/nologin @@ -428,6 +432,7 @@ popd %patch1001 -p1 -b .scp-clears-file %patch1002 -p1 -b .ssh-manpage %patch1003 -p1 -b .mem-leak +%patch1004 -p1 -b .gssapi-auth %patch100 -p1 -b .coverity @@ -715,6 +720,8 @@ test -f %{sysconfig_anaconda} && \ Resolves: rhbz#2033372 - Fix several memory leaks Related: rhbz#2068423 +- Fix gssapi authentication failures + Resolves: rhbz#2091023 * Wed Jun 29 2022 Dmitry Belyavskiy - 8.7p1-10 - Set minimal value of RSA key length via configuration option