ssh lacks gssapi support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Invalid
|
Medium
|
Colin Watson |
Bug Description
The ssh client (and the server) lack GSSAPI support. There is a ssh-krb in
Universe, but it's an older version. Really, there's no reason to have a
separate package either - compile/
already gives you the ability to turn GSSAPI support on/off at runtime. GSSAPI
support should be compiled into the main ssh binaries.
In Debian Bug tracker #275472, Colin Watson (cjwatson) wrote : Re: Bug#275472: Support for kerberos in ssh | #1 |
In Debian Bug tracker #275472, Sam Hartman (hartmans) wrote : | #2 |
I'd like to ask that you not enable gssapi support for the ssh
package. The problem is that there is a key exchange method that has
not yet been accepted upstream that you probably want if you want
Kerberos support. Having the ssh package do some but not all of the
desired Kerberos support would be confusing to users.
I'm not sure I know of anyone working on getting this patch accepted
upstream. All the involved parties are just too busy.
The other option is to maintain the key exchange patch as a Debian
local patch. I think that's something to consider for the sarge+1
time frame, but I'd rather see how bad the openssh 3.9 port is before
deciding it will be easy to do and actually trying to convince you
that you want to maintain a patch that large.;)
Sean Middleditch (elanthis) wrote : | #3 |
The ssh client (and the server) lack GSSAPI support. There is a ssh-krb in
Universe, but it's an older version. Really, there's no reason to have a
separate package either - compile/
already gives you the ability to turn GSSAPI support on/off at runtime. GSSAPI
support should be compiled into the main ssh binaries.
Colin Watson (cjwatson) wrote : | #4 |
The last time I asked Sam Hartman (who maintains ssh-krb5, and generally knows
far more about this than I do) about this shortly after OpenSSH 3.9p1 was
released, he said:
"I'd like to ask that you not enable gssapi support for the ssh package. The
problem is that there is a key exchange method that has not yet been accepted
upstream that you probably want if you want Kerberos support. Having the ssh
package do some but not all of the desired Kerberos support would be confusing
to users.
I'm not sure I know of anyone working on getting this patch accepted upstream.
All the involved parties are just too busy."
As such, I have so far refused to enable GSSAPI in the mainstream OpenSSH packages.
If this situation has changed, I'd be happy to enable it, but I'd rather discuss
it in Debian than here, since that's where the relevant experts are. The
appropriate Debian bug is #275472.
In Debian Bug tracker #275472, Stephen Frost (sfrost) wrote : Kerberos keyex in ssh | #5 |
Greetings,
I'd like to follow-up on the idea of maintaining the key exchange
patch as a local Debian patch to openssh. The current key exchange
patch does not introduce any new config options, is much smaller than
the older GSSAPI patches, and patches cleanly against current Debian
sources (4.1p1-6). Debian 4.1p1-6+keyex also plays nicely with
current ssh-krb5 (I've yet to run into any problems running a mixed
environment).
The current keyex patch is available here:
http://
(From: http://
Many thanks,
Stephen
In Debian Bug tracker #275472, Colin Watson (cjwatson) wrote : Bug#275472: fixed in openssh 1:4.2p1-2 | #6 |
Source: openssh
Source-Version: 1:4.2p1-2
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-
to pool/main/
openssh-
to pool/main/
openssh-
to pool/main/
openssh-
to pool/main/
openssh_
to pool/main/
openssh_4.2p1-2.dsc
to pool/main/
ssh-askpass-
to pool/main/
ssh_4.2p1-2_all.deb
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 14 Sep 2005 18:28:49 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.2p1-2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-
openssh-server - Secure shell server, an rshd replacement
openssh-
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 152657 275472
Changes:
openssh (1:4.2p1-2) unstable; urgency=low
.
* Annotate 1:4.2p1-1 changelog with CVE references.
* Add remaining pieces of Kerberos support (closes: #152657, #275472):
- Add GSSAPI key exchange support from
http://
Frost).
- Build-depend on libkrb5-dev and configure --with-
- openssh-client and openssh-server replace ssh-krb5.
- Update commented-out Kerberos/GSSAPI options in default sshd_config.
- Fix HAVE_GSSAPI_
Files:
387c199fa406a7
5b32000b55374d
54bc09ac5cdbfc
aa75f77b329fb4
Debian Bug Importer (debzilla) wrote : | #7 |
Message-Id: <20041008111844
Date: Fri, 08 Oct 2004 13:18:44 +0200
From: Matthijs Mohlmann <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: Support for kerberos in ssh
Package: ssh
Version: 1:3.8.1p1-8
Severity: wishlist
In newer versions ssh has gssapi-with-mic implemented. When an older
client connects to the new server with a ticket he gets a failure
because the client has only gssapi. It would be nice if ssh compiled
with gssapi. Then also can ssh-krb5 merged with ssh. The OpenSSH
developers have merged the kerberos patch with ssh so there is also no
need for an extra package in sid.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.38 Debian configuration management sy
ii dpkg 1.10.23 Package maintenance system for Deb
ii libc6 2.3.2.ds1-17 GNU C Library: Shared libraries an
ii libgssapi1-heimdal 0.6.3-2 Libraries for Heimdal Kerberos
ii libkafs0-heimdal 0.6.3-2 Libraries for Heimdal Kerberos
ii libkrb5-17-heimdal 0.6.3-2 Libraries for Heimdal Kerberos
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-5 SSL shared libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-1 compression library - runtime
-- debconf information:
ssh/insecure_
ssh/ssh2_
ssh/user_
* ssh/forward_
ssh/insecure_
ssh/new_config: true
* ssh/use_
* ssh/protocol2_only: true
ssh/encrypted
* ssh/run_sshd: true
* ssh/SUID_client: false
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 01:07:01 +0000
From: Colin Watson <email address hidden>
To: Matthijs Mohlmann <email address hidden>, <email address hidden>
Cc: Sam Hartman <email address hidden>, <email address hidden>
Subject: Re: Bug#275472: Support for kerberos in ssh
On Fri, Oct 08, 2004 at 01:18:44PM +0200, Matthijs Mohlmann wrote:
> Package: ssh
> Version: 1:3.8.1p1-8
> Severity: wishlist
>
> In newer versions ssh has gssapi-with-mic implemented. When an older
> client connects to the new server with a ticket he gets a failure
> because the client has only gssapi. It would be nice if ssh compiled
> with gssapi. Then also can ssh-krb5 merged with ssh. The OpenSSH
> developers have merged the kerberos patch with ssh so there is also no
> need for an extra package in sid.
Even with OpenSSH 3.9p1 in experimental, the diff to openssh-krb5 seems
to be substantial. Sam, do you know what the current state of having all
this stuff merged upstream is?
Compiling with gssapi involves linking with some extra libraries, at
least one of which are not currently Priority: standard, and that would
inconvenience people who don't use Kerberos who are trying to build
small systems. I'm inclined to think that a separate build is still a
good idea for the moment.
Cheers,
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 16:25:56 -0500
From: Sam Hartman <email address hidden>
To: Colin Watson <email address hidden>
Cc: Matthijs Mohlmann <email address hidden>,
<email address hidden>, <email address hidden>
Subject: Re: Bug#275472: Support for kerberos in ssh
I'd like to ask that you not enable gssapi support for the ssh
package. The problem is that there is a key exchange method that has
not yet been accepted upstream that you probably want if you want
Kerberos support. Having the ssh package do some but not all of the
desired Kerberos support would be confusing to users.
I'm not sure I know of anyone working on getting this patch accepted
upstream. All the involved parties are just too busy.
The other option is to maintain the key exchange patch as a Debian
local patch. I think that's something to consider for the sarge+1
time frame, but I'd rather see how bad the openssh 3.9 port is before
deciding it will be easy to do and actually trying to convince you
that you want to maintain a patch that large.;)
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Sun, 7 Aug 2005 10:31:58 -0400
From: Stephen Frost <email address hidden>
To: <email address hidden>
Cc: Sam Hartman <email address hidden>
Subject: Kerberos keyex in ssh
Greetings,
I'd like to follow-up on the idea of maintaining the key exchange
patch as a local Debian patch to openssh. The current key exchange
patch does not introduce any new config options, is much smaller than
the older GSSAPI patches, and patches cleanly against current Debian
sources (4.1p1-6). Debian 4.1p1-6+keyex also plays nicely with
current ssh-krb5 (I've yet to run into any problems running a mixed
environment).
The current keyex patch is available here:
http://
(From: http://
Many thanks,
Stephen
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Wed, 14 Sep 2005 10:47:06 -0700
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#275472: fixed in openssh 1:4.2p1-2
Source: openssh
Source-Version: 1:4.2p1-2
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-
to pool/main/
openssh-
to pool/main/
openssh-
to pool/main/
openssh-
to pool/main/
openssh_
to pool/main/
openssh_4.2p1-2.dsc
to pool/main/
ssh-askpass-
to pool/main/
ssh_4.2p1-2_all.deb
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 14 Sep 2005 18:28:49 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.2p1-2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-
openssh-server - Secure shell server, an rshd replacement
openssh-
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 152657 275472
Changes:
openssh (1:4.2p1-2) unstable; urgency=low
.
* Annotate 1:4.2p1-1 changelog with CVE references.
* Add remaining pieces of Kerberos support (closes: #152657, #275472):
- Add GSSAPI key exchange support from
http://
Frost).
- Build-depend on libkrb5-dev and configure --with-
- openssh-client and openssh-server replace ssh-krb5.
- Update commented-out Kerberos/GSSAPI options in default sshd_config.
- Fix HAVE_GSSAPI_
Files:
387c199fa406a7
Sean Middleditch (elanthis) wrote : | #12 |
ssh now supports GSSAPI.
This bug should be closed.
On Fri, Oct 08, 2004 at 01:18:44PM +0200, Matthijs Mohlmann wrote:
> Package: ssh
> Version: 1:3.8.1p1-8
> Severity: wishlist
>
> In newer versions ssh has gssapi-with-mic implemented. When an older
> client connects to the new server with a ticket he gets a failure
> because the client has only gssapi. It would be nice if ssh compiled
> with gssapi. Then also can ssh-krb5 merged with ssh. The OpenSSH
> developers have merged the kerberos patch with ssh so there is also no
> need for an extra package in sid.
Even with OpenSSH 3.9p1 in experimental, the diff to openssh-krb5 seems
to be substantial. Sam, do you know what the current state of having all
this stuff merged upstream is?
Compiling with gssapi involves linking with some extra libraries, at
least one of which are not currently Priority: standard, and that would
inconvenience people who don't use Kerberos who are trying to build
small systems. I'm inclined to think that a separate build is still a
good idea for the moment.
Cheers,
--
Colin Watson [<email address hidden>]