[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 15 20:59:29 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1008





--- Comment #9 from Simon Wilkinson <simon at sxw.org.uk>  2007-09-15 20:59:25 ---
I've noted this on the mailing list too, but just for the record, 
the simplified patch is incorrect. GSSAPI != Kerberos, and even
within the Kerberos space, some vendors ship with
canonicalisation disabled.

If we are going to ship a workaround for this issue (and we 
should), it has to be configurable, and default to 'off', so
users get the current behaviour unless they specifically
request that we trust the DNS.

I'll look into porting my patch across to the OpenBSD codebase.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the openssh-bugs mailing list