ports/178885: openssh-portable upgrade broke GSSAPI keyex with no warning
Garrett Wollman
wollman at csail.mit.edu
Thu May 23 22:40:05 UTC 2013
>Number: 178885
>Category: ports
>Synopsis: openssh-portable upgrade broke GSSAPI keyex with no warning
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu May 23 22:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Garrett Wollman
>Release: FreeBSD 9.1-RELEASE amd64
>Organization:
MIT Computer Science & Artificial Intelligence Laboratory
>Environment:
System: FreeBSD khavrinen.csail.mit.edu 9.1-RELEASE FreeBSD 9.1-RELEASE #15 r245182: Tue Jan 8 18:09:56 EST 2013 wollman at khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64
>Description:
I upgraded openssh-portable from 5.7 to 6.2 and started getting errors
on ssh_config and sshd_config. Investigating, I found that the
GSSAPIKeyExchange support had gone missing, and this is not reported
in /usr/ports/UPDATING or elsewhere that I could find. Large sites
like ours absolutely depend on this functionality (which also includes
rekey-on-ticket-renewal and store-tickets-on-rekey functions to keep
long-running sessions authenticated).
>How-To-Repeat:
Upgrade openssh-portable. Notice that the GSSAPIKeyExchange parameter
causes config file parsing to error out.
>Fix:
RedHat forward-ported the patch from 5.7 to 6.2 and with a few
modifications I made theirs work, but I'm not sure what the legal
status of this patch is. You can find it by searching for
"openssh-6.2p1-gsskex.patch".
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list