bin/102205: login failure: ssh + gssapi + dual stacks + packet loss
Mark Andrews
Mark_Andrews at isc.org
Thu Aug 17 23:50:15 UTC 2006
>Number: 102205
>Category: bin
>Synopsis: login failure: ssh + gssapi + dual stacks + packet loss
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 17 23:50:14 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Mark Andrews
>Release: FreeBSD 6.1-STABLE i386
>Organization:
ISC
>Environment:
System: FreeBSD drugs.dv.isc.org 6.1-STABLE FreeBSD 6.1-STABLE #8: Tue Jul 11 14:48:05 EST 2006 marka at drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386
>Description:
ssh client, ssh server and kdc are dual stack.
If, when talking to the kdc, you loose the reply packet ssh will attempt
to send the same packet to the kdc using the alternate transport. This
results in a reply attack being reported and the login failing.
09:27:04.370657 2001:470:1f00:820:208:74ff:fe9f:eeae.1798 > 2001:4f8:3:bb::4.88: [flowlabel 0x670b8]
09:27:05.378122 192.168.191.251.3785 > 204.152.187.4.88:
09:27:05.551681 204.152.187.4.88 > 192.168.191.251.3785:
>How-To-Repeat:
Configure a dual stack kdc and configure a firewall to block the
replies from the kdc over IPv6. Attempt to login using gssapi.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list