from:"Alfred Karl Kornel"

Bug#779368: icedove: LDAP and GSSAPI silently failing with protocol violation

2015-02-27 Thread Alfred Karl Kornel

Package: icedove
Version: 31.4.0-1~deb7u1
Severity: normal

Hello!

I am having an issue with icedove and LDAP/GSSAPI.

I am trying to connect Icedove to our organization's LDAP server.  In order to 
get access to non-public information (like phone numbers and email addresses), 
I need to use GSSAPI for authentication (simple binding is not supported).

I am able to do GSSAPI authentication with the `ldapsearch` command, so I know 
that my Kerberos credentials are OK.

I am attaching a packet capture, showing the attempted bind, and the failure.  
Wireshark reports that the bind is failing with the following error:

generic failure: protocol violation: client requested invalid layer

Please let me know if you need any more info!


-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages icedove depends on:
ii  debianutils   4.3.2
ii  fontconfig2.9.0-7.1
ii  libasound21.0.25-4
ii  libatk1.0-0   2.4.0-2
ii  libc6 2.13-38+deb7u8
ii  libcairo2 1.12.2-3
ii  libdbus-1-3   1.6.8-1+deb7u6
ii  libdbus-glib-1-2  0.100.2-1
ii  libevent-2.0-52.0.19-stable-3+deb7u1
ii  libffi5   3.0.10-3
ii  libfontconfig12.9.0-7.1
ii  libfreetype6  2.4.9-1.1
ii  libgcc1   1:4.7.2-5
ii  libgdk-pixbuf2.0-02.26.1-1
ii  libglib2.0-0  2.33.12+really2.32.4-5
ii  libgtk2.0-0   2.24.10-2
ii  libhunspell-1.3-0 1.3.2-4
ii  libpango1.0-0 1.30.0-1
ii  libpixman-1-0 0.26.0-4+deb7u1
ii  libsqlite3-0  3.7.13-1+deb7u1
ii  libstartup-notification0  0.12-1
ii  libstdc++64.7.2-5
ii  libx11-6  2:1.5.0-1+deb7u1
ii  libxext6  2:1.3.1-2+deb7u1
ii  libxrender1   1:0.9.7-1+deb7u1
ii  libxt61:1.1.3-1+deb7u1
ii  psmisc22.19-1+deb7u1
ii  zlib1g1:1.2.7.dfsg-13

Versions of packages icedove recommends:
ii  myspell-en-us [myspell-dictionary]  1:3.3.0-4

Versions of packages icedove suggests:
ii  fonts-lyx 2.0.3-3
ii  libglib2.0-0  2.33.12+really2.32.4-5
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u3

-- no debconf information


icedove_packets.pcap
Description: application/vnd.tcpdump.pcap

Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange

2015-02-09 Thread Alfred Karl Kornel

Package: openssh-client
Version: 1:6.0p1-4+deb7u2
Severity: normal

Good morning!

I am reporting an issue that I have discovered in Debian's OpenSSH package: 
It appears that setting GSSAPIKeyExchange overrides the KexAlgorithms setting.

The group I am in (Authentication  Collaboration Solutions, part of Stanford
IT) relies heavily on Kerberos: It is our policy to not allow our group 
members to enter passwords in remote sites, with few exceptions.

As a new employee in our group, I have been updating our internal 
documentation that documents how we use SSH.  Part of that includes making a 
standard OpenSSH client configuration for other new employees to use.  One of 
the items in this configuration is to enable GSSAPI key exchange, and also to 
disable certain key-exchange algorithms.

The problem I found is, if I explicitly set KexAlgorithms, that essentially 
turns off GSSAPIKeyExchange.  Looking at debug logs, OpenSSH does not even try 
to use GSSAPI key exchange, which makes me think that setting KexAlgorithms 
somehow overrides whatever changes GSSAPIKeyExchange is trying to make.

I'm going to try reproducing this problem in openssh 6.7p1-3, just to make 
sure the problem still exists there; I'll report back when I'm able to 
reproduce.


-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg   1.16.15
ii  libc6  2.13-38+deb7u7
ii  libedit2   2.11-20080614-5
ii  libgssapi-krb5-2   1.10.1+dfsg-5+deb7u2
ii  libselinux12.1.9-5
ii  libssl1.0.01.0.1e-2+deb7u14
ii  passwd 1:4.1.5.1-1
ii  zlib1g 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain  none
pn  libpam-sshnone
pn  monkeysphere  none
pn  ssh-askpass   none

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779368: icedove: LDAP and GSSAPI silently failing with protocol violation

Bug#777549: openssh-client: Setting KexAlgorithms disables GSSAPIKeyExchange

2 matches

Site Navigation

Mail list logo

Footer information