OpenSSH v3.8p1 fails to interoperate for GSSAPI (Kerberos) and X-Windows

Damien Miller djm at mindrot.org
Tue May 25 10:11:48 EST 2004 

Jim Carter wrote:

> Versions: openssh-3.8p1-33, heimdal-0.6.1rc3-51, XFree86-4.3.99.902-40,
> tk-8.4.6-37, all from SuSE 9.1 (unhacked); back-version peers have
> openssh-3.5p1, XFree86-4.3.0-115, etc. from SuSE 8.2.
> 
> Symptoms:  
> 
> 1.  When the client and server versions are unequal, the Kerberos ticket
> is not accepted for authentication.  All the clients have
> PreferredAuthentications gssapi-with-mic, gssapi, others.

openssh-3.5 never included GSSAPI autentication. You must be using a
distribution or 3rd party patch.

> 2.  When ForwardX11 is true (ssh -X switch), ForwardX11Trusted is at its
> default value (false), the client is 3.8p1, and the server is 3.5p1,
> most X Window System clients work OK, but the following fail with the
> indicated obscure error messages:
>     
>     xmag        BadDrawable (infinite loop of this error) 
>     xwd		BadWindow 
>     xcalc       (intermittent; sorry, didn't write down the code) 
>     tcl/tk apps BadAtom doing X_GetProperty for 0x1a0 = InterpRegistry.
> 		To demonstrate, it's sufficient to do "wish" with no
> 		script.

http://www.openssh.com/faq.html#3.13

> Sometime between 2003-09-12 and the present, a draft RFC:
>     http://www.vandyke.com/technology/draft-ietf-secsh-gsskeyex.txt
> was issued defining gssapi-with-mic, which resists certain "man in the
> middle" attacks. v3.8p1 does only gssapi-with-mic; versions up to v3.7
> do only old-style gssapi.  There appears to be no ./configure switch to
> turn on gssapi-without-mic at compile time in v3.8.  The resulting lack
> of interoperability fully explains the symptoms seen.  There is no
> workaround.

We won't include support for a deprecated exchange with known
security problems. The only release (3.7) that included support for
the "gssapi" (i.e. without MIC) included the following text in the
release notes:

>     - This release contains some GSSAPI user authentication support
>       to replace legacy KerberosV authentication support. At present
>       this code is still considered experimental and SHOULD NOT BE
>       USED.

I'm told that Simon Wilkinson has patches to add the old gssapi
(no MIC) exchange back for people who need it, but I can't see it on
his site: http://www.sxw.org.uk/computing/patches/openssh.html

The GSSAPI issue wouldn't have caused you as much pain if your Linux
vendor hadn't added support for an unfinished protocol. Most other
Linux vendors did the right thing and made the patch available as a
compile time options, or as a clearly labelled separate package.

If this same vendor is not providing you with the necessary support to
retain compatibility with their previous versions, then you probably go
and yell at them :)

-d

More information about the openssh-unix-dev mailing list