Blame openssh-4.3p2-gssapi-canohost.patch
|
|
914284f |
Symptom: intermittent errors on GSSAPI authentication vs
|
|
|
914284f |
machines on DNS loadbalancer, stupid client message "Generic Error",
|
|
|
914284f |
server-side debug complains about unknown principal.
|
|
|
914284f |
|
|
|
914284f |
Comes from the fact that we resolve the generic DNS name once for
|
|
|
914284f |
the connection, then again for getting the GSSAPI/Kerberos service
|
|
|
914284f |
ticket. So the service ticket may be for a different host, if
|
|
|
914284f |
the DNS alias switches in between the two resolves.
|
|
|
914284f |
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
|
|
|
914284f |
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
|
|
|
914284f |
@@ -485,6 +485,7 @@
|
|
|
914284f |
static u_int mech = 0;
|
|
|
914284f |
OM_uint32 min;
|
|
|
914284f |
int ok = 0;
|
|
|
914284f |
+ const char* remotehost = get_canonical_hostname(1);
|
|
|
914284f |
|
|
|
914284f |
/* Try one GSSAPI method at a time, rather than sending them all at
|
|
|
914284f |
* once. */
|
|
|
914284f |
@@ -497,7 +498,7 @@
|
|
|
914284f |
/* My DER encoding requires length<128 */
|
|
|
914284f |
if (gss_supported->elements[mech].length < 128 &&
|
|
|
914284f |
ssh_gssapi_check_mechanism(&gssctxt,
|
|
|
914284f |
- &gss_supported->elements[mech], authctxt->host)) {
|
|
|
914284f |
+ &gss_supported->elements[mech], remotehost)) {
|
|
|
914284f |
ok = 1; /* Mechanism works */
|
|
|
914284f |
} else {
|
|
|
914284f |
mech++;
|