openssh 7.4 にアップデートすると、GSSAPIStrictAcceptorCheck のデフォルトが no に戻るため、Kerberos を設定している一部の環境で認証に失敗する
Issue
- アップデートしてからチケットを転送すると、gssapi を行う際に openssh-7.4 接続が終了します。クライアントをデバッグすると、以下のエラーが出力されます。
# ssh -v host.example.com
<snip>
debug1: Enabling compatibility mode for protocol 2.0^M
debug1: Local version string SSH-2.0-OpenSSH_7.4^M
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4^M
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000^M
debug1: Authenticating to host.example.com:22 as 'root'^M
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==^M
debug1: SSH2_MSG_KEXINIT sent^M
debug1: SSH2_MSG_KEXINIT received^M
debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==^M
debug1: kex: host key algorithm: ecdsa-sha2-nistp256^M
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none^M
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none^M
debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
debug1: Doing group exchange
^M
debug1: Calling gss_init_sec_context^M
debug1: Delegating credentials^M
ssh_packet_read: Connection closed^M
Environment
- Red Hat Enterprise Linux 7
- openssh-server-7.4p1-12.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.