openssh 7.4 にアップデートすると、GSSAPIStrictAcceptorCheck のデフォルトが no に戻るため、Kerberos を設定している一部の環境で認証に失敗する
Issue
- アップデートしてからチケットを転送すると、gssapi を行う際に openssh-7.4 接続が終了します。クライアントをデバッグすると、以下のエラーが出力されます。
# ssh -v host.example.com
<snip>
debug1: Enabling compatibility mode for protocol 2.0^M
debug1: Local version string SSH-2.0-OpenSSH_7.4^M
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4^M
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000^M
debug1: Authenticating to host.example.com:22 as 'root'^M
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==^M
debug1: SSH2_MSG_KEXINIT sent^M
debug1: SSH2_MSG_KEXINIT received^M
debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==^M
debug1: kex: host key algorithm: ecdsa-sha2-nistp256^M
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none^M
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none^M
debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
debug1: Doing group exchange
^M
debug1: Calling gss_init_sec_context^M
debug1: Delegating credentials^M
ssh_packet_read: Connection closed^M
Environment
- Red Hat Enterprise Linux 7
- openssh-server-7.4p1-12.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
