Blame openssh-4.3p2-gssapi-canohost.patch
|
Tomáš Mráz |
914284 |
Symptom: intermittent errors on GSSAPI authentication vs
|
|
Tomáš Mráz |
914284 |
machines on DNS loadbalancer, stupid client message "Generic Error",
|
|
Tomáš Mráz |
914284 |
server-side debug complains about unknown principal.
|
|
Tomáš Mráz |
914284 |
|
|
Tomáš Mráz |
914284 |
Comes from the fact that we resolve the generic DNS name once for
|
|
Tomáš Mráz |
914284 |
the connection, then again for getting the GSSAPI/Kerberos service
|
|
Tomáš Mráz |
914284 |
ticket. So the service ticket may be for a different host, if
|
|
Tomáš Mráz |
914284 |
the DNS alias switches in between the two resolves.
|
|
Tomáš Mráz |
914284 |
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
|
|
Tomáš Mráz |
914284 |
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
|
|
Tomáš Mráz |
914284 |
@@ -485,6 +485,7 @@
|
|
Tomáš Mráz |
914284 |
static u_int mech = 0;
|
|
Tomáš Mráz |
914284 |
OM_uint32 min;
|
|
Tomáš Mráz |
914284 |
int ok = 0;
|
|
Tomáš Mráz |
914284 |
+ const char* remotehost = get_canonical_hostname(1);
|
|
Tomáš Mráz |
914284 |
|
|
Tomáš Mráz |
914284 |
/* Try one GSSAPI method at a time, rather than sending them all at
|
|
Tomáš Mráz |
914284 |
* once. */
|
|
Tomáš Mráz |
914284 |
@@ -497,7 +498,7 @@
|
|
Tomáš Mráz |
914284 |
/* My DER encoding requires length<128 */
|
|
Tomáš Mráz |
914284 |
if (gss_supported->elements[mech].length < 128 &&
|
|
Tomáš Mráz |
914284 |
ssh_gssapi_check_mechanism(&gssctxt,
|
|
Tomáš Mráz |
914284 |
- &gss_supported->elements[mech], authctxt->host)) {
|
|
Tomáš Mráz |
914284 |
+ &gss_supported->elements[mech], remotehost)) {
|
|
Tomáš Mráz |
914284 |
ok = 1; /* Mechanism works */
|
|
Tomáš Mráz |
914284 |
} else {
|
|
Tomáš Mráz |
914284 |
mech++;
|