GSSAPIStrictAcceptorCheck default reverts to no with openssh 7.4 update, resulting in partial Kerberos configured environments failing to authenticate
Issue
- When forwarding tickets, openssh-7.4 connection is closing/dying when gssapi is attempted after update. Client-side debugging shows the following:
# ssh -v host.example.com
<snip>
debug1: Enabling compatibility mode for protocol 2.0^M
debug1: Local version string SSH-2.0-OpenSSH_7.4^M
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4^M
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000^M
debug1: Authenticating to host.example.com:22 as 'root'^M
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==^M
debug1: SSH2_MSG_KEXINIT sent^M
debug1: SSH2_MSG_KEXINIT received^M
debug1: kex: algorithm: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==^M
debug1: kex: host key algorithm: ecdsa-sha2-nistp256^M
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none^M
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none^M
debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
debug1: kex: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== need=64 dh_need=64^M
debug1: Doing group exchange
^M
debug1: Calling gss_init_sec_context^M
debug1: Delegating credentials^M
ssh_packet_read: Connection closed^M
Environment
- Red Hat Enterprise Linux 7
- openssh-server-7.4p1-12.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.