Thanks for the suggestion. But I believe this is a separate issue:
1. As far as I can tell, this issue is related to public key and not gssapi auth method. In the tests I made GSSAPIAuthentication was set to default (i.e. turned off).
2. I have been unable to reproduce it in vanilla OpenSSH releases. Only time I can reproduce it is after patch CVE-2018-15473.patch has been applied.
Further just to check, I have just tried with a vanilla openssh-7.8p1.tar.gz (as identified in https://www.openwall.com/lists/oss-security/2018/08/27/2) and the issue is not present. Also, I broke CVE-2018-15473.patch up and only applied changes that it makes to auth2-pubkey.c (i.e. ignoring that changes to auth2-gss.c) and the issue was present.
Regardless, considering the age of the software and the effort required to property track this down I guess this will be marked as a WontFix issue too.
Thanks for the suggestion. But I believe this is a separate issue:
1. As far as I can tell, this issue is related to public key and not gssapi auth method. In the tests I made GSSAPIAuthentic ation was set to default (i.e. turned off).
2. I have been unable to reproduce it in vanilla OpenSSH releases. Only time I can reproduce it is after patch CVE-2018- 15473.patch has been applied.
Further just to check, I have just tried with a vanilla openssh- 7.8p1.tar. gz (as identified in https:/ /www.openwall. com/lists/ oss-security/ 2018/08/ 27/2) and the issue is not present. Also, I broke CVE-2018- 15473.patch up and only applied changes that it makes to auth2-pubkey.c (i.e. ignoring that changes to auth2-gss.c) and the issue was present.
Regardless, considering the age of the software and the effort required to property track this down I guess this will be marked as a WontFix issue too.