bin/102205: login failure: ssh + gssapi + dual stacks + packet loss

Mark Andrews Mark_Andrews at
Thu Aug 17 23:50:15 UTC 2006

>Number:         102205
>Category:       bin
>Synopsis:       login failure: ssh + gssapi + dual stacks + packet loss
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 17 23:50:14 GMT 2006
>Originator:     Mark Andrews
>Release:        FreeBSD 6.1-STABLE i386
System: FreeBSD 6.1-STABLE FreeBSD 6.1-STABLE #8: Tue Jul 11 14:48:05 EST 2006 marka at i386


	ssh client, ssh server and kdc are dual stack.

	If, when talking to the kdc, you loose the reply packet ssh will attempt
	to send the same packet to the kdc using the alternate transport.  This
	results in a reply attack being reported and the login failing.

09:27:04.370657 2001:470:1f00:820:208:74ff:fe9f:eeae.1798 > 2001:4f8:3:bb::4.88:  [flowlabel 0x670b8]
09:27:05.378122 > 
09:27:05.551681 > 

	Configure a dual stack kdc and configure a firewall to block the
	replies from the kdc over IPv6.  Attempt to login using gssapi.


More information about the freebsd-bugs mailing list