Ubuntu
krb5 package

canonicalize fallback bug in krb5-user prevents ssh with older KDC

Bug #874439 reported by chenel
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi,

Upgrading from Natty to Oneiric upgrades krb5-user from version 1.8.3+dfsg-5ubuntu2.1 to 1.9.1+dfsg-1ubuntu1. Immediately before the upgrade, I was able to SSH (to a network that uses an older KDC) using MIT Kerberos. Immediately following the upgrade, the connection fails with the following in the verbose output of SSH:

debug1: Unspecified GSS failure. Minor code may provide more information
KDC can't fulfill requested option

Googling seems to indicate that this is a known bug in the 1.9.1 series of the Kerberos library, and that it has been resolved for 1.9.2. Compare the bug reports in RHL (https://bugzilla.redhat.com/show_bug.cgi?id=713518) and Archlinux (https://bugs.archlinux.org/task/25515), which both include a patch. I couldn't find any evidence that Debian has moved to 1.9.2--or applied this patch--yet, but I don't fully understand the mechanics of how updates trickle down from them.

This is a fairly urgent bug because it completely prevents Kerberized SSH connection to any nodes using an older KDC.

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.