https://bugzilla.mindrot.org/show_bug.cgi?id=3978

            Bug ID: 3978
           Summary: `sshd_config`: GSSAPI directives renamed/broken in
                    10.4 (`GSSAPIAuthentication` → `GssAuthentication`
                    etc.), rejected with "Bad configuration option"
           Product: Portable OpenSSH
           Version: 10.4p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: [email protected]
          Reporter: [email protected]

Environment:
- OpenSSH 10.4p1 (portable), built from clean upstream source
(openssh-10.4p1.tar.gz)
- ./configure --with-kerberos5=/usr --with-pam ... (GSSAPI enabled,
confirmed via
  "checking for gssapi support... yes")
- Ubuntu 22.04 build host, MIT Kerberos (libkrb5-dev)
- Working fine on 10.3p1 with identical build flags/environment —
regression appeared
  exclusively after bumping to 10.4p1

Description:

After upgrading from 10.3p1 to 10.4p1 with no sshd_config changes, sshd
fails on every
connection (re-exec on accept) with:

```
sshd[PID]: error: /etc/ssh/sshd_config: line 25: Bad configuration
option: GSSAPIStrictAcceptorCheck
sshd[PID]: error: /etc/ssh/sshd_config: line 26: Bad configuration
option: GSSAPICleanupCredentials
sshd[PID]: error: /etc/ssh/sshd_config: line 53: Bad configuration
option: GSSAPIAuthentication
sshd[PID]: fatal: /etc/ssh/sshd_config line 53: Directive
'GSSAPIAuthentication' is not allowed within a Match block
```

Client side: "kex_exchange_identification: read: Connection reset by
peer" on every new
connection — the process aborts before sending the SSH banner. Existing
sessions are
unaffected until they disconnect and reconnect (config is re-parsed on
each re-exec).

The error is sBadOption ("Bad configuration option"), not sUnsupported
("Unsupported
option") — the parser doesn't recognize the token at all. This is not a
compiled-without-GSSAPI situation (that hits sUnsupported and only
warns) — it's a
genuine parse-table regression.

Root cause:

servconf.h's X-macro table for the GSSAPI group
(SSHD_CONFIG_ENTRIES_GSS) generates the
public config-token string from the macro's enum-name argument via
SSHCONF_KW(conf,flags) { #conf, s##conf, flags }. Every other directive
in the X-macro
schema passes the full config token as that argument (e.g.
PasswordAuthentication,
PubkeyAuthentication). The GSSAPI group instead passes the abbreviated
internal enum
name:

  Directive                     Expected token                 Actual
generated token
  GSSAPIAuthentication          GSSAPIAuthentication           
GssAuthentication
  GSSAPICleanupCredentials      GSSAPICleanupCredentials        
GssCleanupCreds
  GSSAPIDelegateCredentials     GSSAPIDelegateCredentials       
GssDelegateCreds
  GSSAPIStrictAcceptorCheck     GSSAPIStrictAcceptorCheck       
GssStrictAcceptor

i.e. the internal/abbreviated identifier leaked into the public
sshd_config keyword
surface. Any existing sshd_config using the documented GSSAPI*
directive names breaks
outright on 10.4, with no deprecation warning or migration path — a
hard parse error
(fatal when the directive is inside a Match block, as GSSAPI directives
commonly are
for selective Kerberos auth).

Compared 10.3p1 vs 10.4p1 upstream source directly:
- servconf.c (10.3p1, static table): { "gssapiauthentication",
sGssAuthentication,
  SSHCFG_ALL } — correct token.
- servconf.h (10.4p1, X-macro): SSHCONF_INTFLAG(gss_authentication,
GssAuthentication,
  ...) — token derives from GssAuthentication, not
GSSAPIAuthentication.
- configure.ac GSSAPI/Kerberos detection is otherwise unchanged between
the two tags —
  this is a pure servconf table-generation regression, not a
build/detection issue.

How reproducible: Always

Steps to Reproduce:
1. Build OpenSSH 10.4p1 with --with-kerberos5=<path> (any
GSSAPI-enabling config).
2. Put in sshd_config:
     GSSAPIAuthentication yes
   (top-level, or inside a Match block as commonly used for selective
Kerberos auth)
3. Run: sshd -t -f sshd_config

Actual Results:
Bad configuration option: GSSAPIAuthentication

Expected Results:
Config accepted, GSSAPI authentication directive applied as in 10.3p1
and earlier.

Suggested fix:

Restore the original token strings for the GSSAPI group in servconf.h,
matching the
pattern every other X-macro entry already uses, e.g.:

  SSHCONF_INTFLAG(gss_authentication, GSSAPIAuthentication, SSHCFG_ALL)
  SSHCONF_INTFLAG(gss_cleanup_creds, GSSAPICleanupCredentials,
SSHCFG_ALL)
  SSHCONF_INTFLAG(gss_deleg_creds, GSSAPIDelegateCredentials,
SSHCFG_ALL)
  SSHCONF_INTFLAG(gss_strict_acceptor, GSSAPIStrictAcceptorCheck,
SSHCFG_ALL)

(exact macro name/arity may differ — matching whatever's used elsewhere
in the same
table.)

Related:
Same regression already reported downstream — Arch Linux packaging
issue #30
"GSSAPI stopped working when upgraded to 10.4p1-1":
https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/work_items/30

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to