Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 May 2013 18:38:02 -0400 (EDT)
From:      Garrett Wollman <wollman@csail.mit.edu>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/178885: openssh-portable upgrade broke GSSAPI keyex with no warning
Message-ID:  <201305232238.r4NMc2dM002066@khavrinen.csail.mit.edu>
Resent-Message-ID: <201305232240.r4NMe5sL073919@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         178885
>Category:       ports
>Synopsis:       openssh-portable upgrade broke GSSAPI keyex with no warning
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 23 22:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Garrett Wollman
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
MIT Computer Science & Artificial Intelligence Laboratory
>Environment:
System: FreeBSD khavrinen.csail.mit.edu 9.1-RELEASE FreeBSD 9.1-RELEASE #15 r245182: Tue Jan 8 18:09:56 EST 2013 wollman@khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64

>Description:

I upgraded openssh-portable from 5.7 to 6.2 and started getting errors
on ssh_config and sshd_config.  Investigating, I found that the
GSSAPIKeyExchange support had gone missing, and this is not reported
in /usr/ports/UPDATING or elsewhere that I could find.  Large sites
like ours absolutely depend on this functionality (which also includes
rekey-on-ticket-renewal and store-tickets-on-rekey functions to keep
long-running sessions authenticated).

>How-To-Repeat:

Upgrade openssh-portable.  Notice that the GSSAPIKeyExchange parameter
causes config file parsing to error out.

>Fix:

RedHat forward-ported the patch from 5.7 to 6.2 and with a few
modifications I made theirs work, but I'm not sure what the legal
status of this patch is.  You can find it by searching for
"openssh-6.2p1-gsskex.patch".
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305232238.r4NMc2dM002066>