Bug 102205

Summary: kdc(8): login failure: ssh + gssapi + dual stacks + packet loss
Product: Base System Reporter: Mark Andrews <Mark_Andrews>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: 6.1-STABLE   
Hardware: Any   
OS: Any   

Description Mark Andrews 2006-08-18 00:50:14 UTC 
ssh client, ssh server and kdc are dual stack.

If, when talking to the kdc, you loose the reply packet ssh will attempt
to send the same packet to the kdc using the alternate transport.  This
results in a reply attack being reported and the login failing.

09:27:04.370657 2001:470:1f00:820:208:74ff:fe9f:eeae.1798 > 2001:4f8:3:bb::4.88:  [flowlabel 0x670b8]
09:27:05.378122 192.168.191.251.3785 > 204.152.187.4.88: 
09:27:05.551681 204.152.187.4.88 > 192.168.191.251.3785:

How-To-Repeat: Configure a dual stack kdc and configure a firewall to block the
replies from the kdc over IPv6.  Attempt to login using gssapi.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:40 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped