Debian Bug report logs - #817870
openssh-server: GSSAPIKeyExchange is broken

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh (PTS, buildd, popcon).

Reported by: Gábor <gombasg@digikabel.hu>

Date: Fri, 11 Mar 2016 07:06:02 UTC

Severity: normal

Found in version openssh/1:7.2p2-1

Fixed in version openssh/1:7.2p2-2

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#817870; Package openssh-server. (Fri, 11 Mar 2016 07:06:05 GMT) (full text, mbox, link).

Acknowledgement sent to Gábor <gombasg@digikabel.hu>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 11 Mar 2016 07:06:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gábor <gombasg@digikabel.hu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-server: GSSAPIKeyExchange is broken
Date: Fri, 11 Mar 2016 07:36:24 +0100
Package: openssh-server
Version: 1:7.2p2-1
Severity: normal

Dear Maintainer,

After upgrading to 7.2, GSSAPIKeyExchange no longer works:

debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p2 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Debian-1
debug1: match: OpenSSH_7.2p2 Debian-1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to host:22 as 'user'
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: Doing group exchange

debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Disconnecting: Hash's MIC didn't verify

Turning off GSSAPIKeyExchange allows me to log in. The other direction (7.2
client, 7.1 server) works as expected. The same version of Kerberos libraries
are used on both sides.

Gabor

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (102, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.58
ii  dpkg                   1.18.4
ii  init-system-helpers    1.29
ii  libaudit1              1:2.4.5-1+b1
ii  libc6                  2.22-2
ii  libcomerr2             1.42.13-1
ii  libgssapi-krb5-2       1.13.2+dfsg-5
ii  libkrb5-3              1.13.2+dfsg-5
ii  libpam-modules         1.1.8-3.2
ii  libpam-runtime         1.1.8-3.2
ii  libpam0g               1.1.8-3.2
ii  libselinux1            2.4-3+b1
ii  libssl1.0.2            1.0.2g-1
ii  libsystemd0            229-2
ii  libwrap0               7.6.q-25
ii  lsb-base               9.20160110
ii  openssh-client         1:7.2p2-1
ii  openssh-sftp-server    1:7.2p2-1
ii  procps                 2:3.3.11-3
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages openssh-server recommends:
ii  ncurses-term  6.0+20160213-1
ii  xauth         1:1.0.9-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: false

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Mon, 21 Mar 2016 12:39:19 GMT) (full text, mbox, link).

Notification sent to Gábor <gombasg@digikabel.hu>:
Bug acknowledged by developer. (Mon, 21 Mar 2016 12:39:19 GMT) (full text, mbox, link).

Message #10 received at 817870-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 817870-close@bugs.debian.org
Subject: Bug#817870: fixed in openssh 1:7.2p2-2
Date: Mon, 21 Mar 2016 12:37:28 +0000
Source: openssh
Source-Version: 1:7.2p2-2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 817870@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 21 Mar 2016 12:08:55 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.2p2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 817870
Changes:
 openssh (1:7.2p2-2) unstable; urgency=medium
 .
   * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
     the server end than the client (thanks, Damien Miller; closes: #817870,
     LP: #1558576).
Checksums-Sha1:
 be8d5c86594bc188606ddcf7d6d3572b6bca5f6f 2837 openssh_7.2p2-2.dsc
 aa018bc96d92d5bb2e69eda20af5671fbaa96e3f 149208 openssh_7.2p2-2.debian.tar.xz
Checksums-Sha256:
 86fe845499de556a003856437c178550236a7f1aec611977d6ca1e363462f72f 2837 openssh_7.2p2-2.dsc
 a603d3a17729c5229711ace3a5e3e00db10a15adec03a22c870711f07f4b07bd 149208 openssh_7.2p2-2.debian.tar.xz
Files:
 3fa0d4b0ef26823f11e743ca96ae307a 2837 net standard openssh_7.2p2-2.dsc
 61589ce3782cbce80817dc73837030b0 149208 net standard openssh_7.2p2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBVu/o7Tk1h9l9hlALAQiTphAAkz1cCWoSQ3Gnae02kuiI/AFwxnzLLsVU
dZex27RXdn3Er9dF83UHcyveRCBdeZWEloTwxuS2DfKz/e2LIIbXJqNUWU92BQcY
v3Lvf59e3e0WltrmrqdOviPmwd1ltouxEv9A53PzkkTTPjZkZRx6AmtqUi7OlV0h
PAMqHXxxu7rF+tSHPejBw4VGRjUNfnZAHq1VlLJvgFam53Ni2Udkwq8DAvgQ3fx3
lOyEYntTO76l2JMvEzUIoyedkSpEY8fgVw+3Ky+WGT7NQN5WcTE/hm59LE0UKIJt
zDciHMMZt4vgmaI/wdraYIC5DvVJB6n2jQSbEQDeaFqA+P5VwH9W/sT2HCxZTjJm
UbaGhOiGaeB5cEBzLMSFARAq1LECERY6Qw1qzaT5jXZiJnTjVMZuAL2cWsLgl7Cj
S0DAHDgvKOFyGkSBv/uWz6vTfpBGEaoZDYbxGemCYJO0AQsuqeF0J7lhFdwRn670
xWaKJTLNQR3IQKfO2iWsVUtLufBjPx+4/gvheTnGDqrspu6Dw1uPoeIAvLxCsOGP
qQimCYy/KY9RAO4tncmn/AzZg+K9XCGbd1cEUcdZ+2Zd87FYtuTUTDE1YAVSemKW
AZ0Utrdua2wkUfVvhk4sQBFrsJgHSSGIekwi4u715BObcQ/9AwRE3ehIQtEMslXI
nOrryvzfKrA=
=70R4
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Apr 2016 07:36:18 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 25 18:30:56 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.