[Bug 2456] New: gssapi-keyex blocked by PermitRootLogin=without-password

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Sep 2 21:08:42 AEST 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2456

            Bug ID: 2456
           Summary: gssapi-keyex blocked by
                    PermitRootLogin=without-password
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: emassop at google.com

The release notes of 7.0 [1] suggest that root-login using GSSAPI
should not be affected by the hardening of
PermitRootLogin=without-password. (I am aware of the patch in 7.1 for
bug 2445.) However, looking at the code [2], it seems that gssapi-keyex
is no longer allowed.

Is this intended?


Last few lines of ssh -vvv, from failure with
PermitRootLogin=without-password:

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred:
gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by ...


Last few lines of ssh -vvv, from success with PermitRootLogin=yes:

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentication succeeded (gssapi-keyex).
Authenticated to ...



[1] http://www.openssh.com/txt/release-7.0
[2]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?sortby=rev&r1=text&tr1=1.111&r2=text&tr2=1.113

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list