Package: ssh-krb5 Version: 3.8.1p1-7sarge1 Severity: normal Tags: patch GSSAPI authentication insists on doing a second DNS lookup when trying to figure what credentials to get, instead of using the IP of the currently-connected server. For quickly-changing replies (e.g. Round-Robin loadbalancing over DNS), this leads to getting a service ticket for the wrong host.
This is filed in upstream openssh as http://bugzilla.mindrot.org/show_bug.cgi?id=1008 and includes patches (one simple, one more elaborate). Given that these have been lingering for a while, please consider patching the Debian version... our users really are affected by this. TIA Jan -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.12.6-xen Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ssh-krb5 depends on: ii adduser 3.63 Add and remove users and groups ii debconf 1.4.30.13 Debian configuration management sy ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an ii libcomerr2 1.37-2sarge1 common error description library ii libkrb53 1.3.6-2sarge3 MIT Kerberos runtime libraries ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-3sarge4 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]