http://bugzilla.opensuse.org/show_bug.cgi?id=1043397 Bug ID: 1043397 Summary: SSH Connection closed when GSSAPIKeyExchange enabled Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: openSUSE 42.2 Status: NEW Severity: Major Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: ailin.nemui@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build Identifier: When trying to use GSSAPIKeyExchange, the SSH Server just closes the connection. The same function works fine on our Ubuntu and Debian SSH Servers. On the client side, I get this output: debug1: Doing group exchange debug2: bits set: 1559/3072 debug1: Calling gss_init_sec_context Connection closed by 2001:638:902:2010:5054:ff:fe08:c12 zsh: exit 255 ssh -vvvvv -p 2222 infraextra On the server, I tried to run sshd with debug output, and it ends like this: debug3: mm_request_send entering: type 45 debug2: bits set: 4126/8192 [preauth] xmalloc: zero size [preauth] debug1: do_cleanup [preauth] debug3: PAM: sshpam_thread_cleanup entering [preauth] debug3: mm_request_send entering: type 124 [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 124 debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: Killing privsep child 5137 I believe the xmalloc: zero size is related to the problem here. If I disable privsep, the issue becomes instead: xmalloc: out of memory (allocating 3617008690259980144 bytes) Reproducible: Always Steps to Reproduce: 1. Enable GSSAPIKeyExchange in /etc/ssh/sshd_config # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes 2. restart sshd 3. Try to connect from other computer Actual Results: SSH connection closed unexpectedly Expected Results: Login succeeds The KDC is running on Debian stable, version 1.12.1+dfsg-19+deb8u2 of MIT Kerberos. The SSH Clients and other SSH Servers are 6.7p1-5+deb8u3 and 7.2p2-4ubuntu2.1 Using the openSUSE ssh client to connect to itself does *not* crash, but does not verify the host using GSSAPI either -- I get the typical The authenticity of host '...' can't be established. ECDSA key fingerprint is SHA256:ox... Are you sure you want to continue connecting prompt -- You are receiving this mail because: You are on the CC list for the bug.