Package: openssh-client Version: 1:9.4p1-1 Severity: wishlist
Hey there. I've recently filed: https://github.com/openssh-gsskex/openssh-gsskex/issues/24 (not sure whether this is actually the current upstream, if there's any at all, of Debian's GSSAPI patch). In short, the problem is, that the current patch doesn't work well when one uses kerberos with multiple realms (or perhaps even multiple principals withon one real). More details at the link above. I've now seen that there may even already be a solution for that. https://github.com/openssh-gsskex/openssh-gsskex/commit/d26622b7e0f2a9752cb8acb595d0265bd03aee0d mentions various other patches: > [2] > https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-kuserok.patch > [3] > https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-GSSAPIEnablek5users.patch > [4] https://bugzilla.mindrot.org/show_bug.cgi?id=2775 [4] reads as if it would be what I'm looking for. Not sure whether Debian would benefit from [2] and [3]. Fedora seem to have a different patch for this: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-gssapi-new-unique.patch I have no idea about the security of these patches ;-) Do you think it would be possible to merge one of them? Thanks, Chris.