From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 19:24:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 31BED16A4AB for ; Sun, 17 Dec 2006 19:24:37 +0000 (UTC) (envelope-from koziol@hdfgroup.org) Received: from mail45.opentransfer.com (mail45.opentransfer.com [71.18.111.238]) by mx1.FreeBSD.org (Postfix) with SMTP id 6409B43D76 for ; Sun, 17 Dec 2006 19:24:10 +0000 (GMT) (envelope-from koziol@hdfgroup.org) Received: (qmail 20642 invoked by uid 399); 17 Dec 2006 19:24:00 -0000 Received: from unknown (HELO ?192.168.2.102?) (66.158.169.70) by mail45.opentransfer.com with SMTP; 17 Dec 2006 19:24:00 -0000 In-Reply-To: <48779656@srv.sem.ipt.ru> References: <5C883CE5-2A0A-4D7D-BE47-5B4EEFED18B1@hdfgroup.org> <48779656@srv.sem.ipt.ru> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-1--902213132; protocol="application/pkcs7-signature" Message-Id: From: Quincey Koziol Date: Sun, 17 Dec 2006 13:25:47 -0600 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.752.2) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Boris Samorodov Subject: Re: Problems using gssapi authentication from FreeBSD to Linux machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2006 19:24:37 -0000 --Apple-Mail-1--902213132 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Dec 15, 2006, at 1:52 AM, Boris Samorodov wrote: > On Thu, 14 Dec 2006 23:34:17 -0600 Quincey Koziol wrote: > >> Hi all, >> I'm really struggling with getting Kerberos authentication to >> work between a FreeBSD host and a Linux host. I'm using the latest >> 6- >> STABLE code on the FreeBSD box, I've got forwardable Kerberos tokens >> (verified with "klist -f") and Kerberos and ssh are working fine in >> all other ways, but I can't get the Linux box to accept the Kerberos >> ticket as authentication from the FreeBSD machine. The Linux box >> accepts Kerberos credentials from other Linux machines and I can use >> ssh on the FreeBSD machine to connect to itself with Kerberos >> credentials (i.e. not required to type my password). This leads me >> to believe that either the protocol for forwarding the Kerberos >> credentials is different between the two machines or there's another >> minor tweak I need to make to the ssh_config file on the FreeBSD >> machine. One other difference is that the Linux box is running >> OpenSSH 3.9p1 and the FreeBSD box is running OpenSSH 4.5p1. > > This difference should not be a problem. > >> Here's my ssh_config from the FreeBSD machine: > >> # $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $ >> # $FreeBSD: src/crypto/openssh/ssh_config,v 1.27.2.4 2006/11/11 >> 00:51:28 des Exp $ > >> # This is the ssh client system-wide configuration file. See >> # ssh_config(5) for more information. This file provides defaults >> for >> # users, and the values can be changed in per-user configuration >> files >> # or on the command line. > >> # Configuration data is parsed as follows: >> # 1. command line options >> # 2. user-specific file >> # 3. system-wide file >> # Any configuration value is only changed the first time it is set. >> # Thus, host-specific definitions should be at the beginning of the >> # configuration file, and defaults at the end. > >> # Site-wide defaults for some commonly used options. For a >> comprehensive >> # list of available options, their meanings and defaults, please >> see the >> # ssh_config(5) man page. > >> # Host * >> # ForwardAgent no >> # ForwardX11 no >> # RhostsRSAAuthentication no >> # RSAAuthentication yes >> # PasswordAuthentication yes >> # HostbasedAuthentication no >> # GSSAPIAuthentication no >> # GSSAPIDelegateCredentials no >> # BatchMode no >> # CheckHostIP no >> # AddressFamily any >> # ConnectTimeout 0 >> # StrictHostKeyChecking ask >> # IdentityFile ~/.ssh/identity >> # IdentityFile ~/.ssh/id_rsa >> # IdentityFile ~/.ssh/id_dsa >> # Port 22 >> # Protocol 2,1 >> # Cipher 3des >> # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128- >> cbc,arcfour,aes192-cbc,aes256-cbc >> # EscapeChar ~ >> # Tunnel no >> # TunnelDevice any:any >> # PermitLocalCommand no >> # VersionAddendum FreeBSD-20061110 > >> # Add kerberos ticket forwarding >> # QAK - 12/13/06 >> Host * > > May be it's paranoid but I prefer to use more strict values here, > i.e. *.my.domain. This may prevent sending my credentials to hosts if > I incidentally misspell a command. > >> GSSAPIAuthentication yes >> GSSAPIDelegateCredentials yes >> # If this option is set to yes then the remote X11 clients will have >> full access >> # to the local X11 display. As virtually no X11 client supports the >> untrusted >> # mode correctly we set this to yes. >> ForwardX11Trusted yes > > [logs skipped] > >> The main difference I can see is that the FreeBSD log has this: > >> debug2: we sent a gssapi-with-mic packet, wait for reply >> debug1: Delegating credentials >> debug1: Delegating credentials >> debug1: Authentications that can continue: gssapi-with-mic,password >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup password > >> And the Linux log has this: > >> debug1: Next authentication method: gssapi-with-mic >> debug2: we sent a gssapi-with-mic packet, wait for reply >> debug1: Delegating credentials >> debug1: Delegating credentials >> debug1: Authentication succeeded (gssapi-with-mic). > >> Any ideas what could be causing the ssh on FreeBSD to "not >> send a packet"? > > Seems that the Linux host doesn't accept credentials. Do you have an > access to this box? If yes, run sshd with verbose debug ("ddd") at > different port (say, "-p 1000") and then try to connect to this host > via ssh from FreeBSD host. Look at debugging log for the connection > details. HTH I've looked at the logs with -ddd and there's not enough information to really tell what's going on and they both look the same when logging it. (And the Linux box still succeeds and FreeBSD doesn't). Anyone have any other ideas? Thanks, Quincey --Apple-Mail-1--902213132-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 06:02:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C91816A415 for ; Tue, 19 Dec 2006 06:02:50 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from rm-rstar.sfu.ca (spamdamme.sfu.ca [142.58.101.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 798DB43CAF for ; Tue, 19 Dec 2006 06:01:55 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from hexahedron.daemonology.net (fs62.dialin.sfu.ca [142.58.74.62]) by rm-rstar.sfu.ca (8.13.6/8.13.4/SFU-5.0H) with SMTP id kBJ5jhRx000108 for ; Mon, 18 Dec 2006 21:45:46 -0800 (PST) X-Spam-Level: Spam-Level Received: (qmail 1603 invoked from network); 19 Dec 2006 05:45:11 -0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; 19 Dec 2006 05:45:11 -0000 Message-ID: <458776AC.6040806@freebsd.org> Date: Mon, 18 Dec 2006 21:20:44 -0800 From: Colin Percival User-Agent: Thunderbird 1.5.0.8 (X11/20061207) MIME-Version: 1.0 To: freebsd security X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by antibody.sfu.ca running antivirus scanner Subject: EoL for FreeBSD 6.2-RC1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2006 06:02:50 -0000 Those of you who are using FreeBSD Update on FreeBSD 6.2-RC1 may have seen the following scary message: WARNING: FreeBSD 6.2-RC1 HAS PASSED ITS END-OF-LIFE DATE. Any security issues discovered after Mon Dec 18 00:00:00 UTC 2006 will not have been corrected. I told FreeBSD Update that the EoL for FreeBSD 6.2-RC1 would be December 18th (i.e., one month after 6.2-RC1 was released) as I thought that 6.2-RELEASE, or at very least 6.2-RC2, would be out by now. Obviously I hadn't counted on there being hardware problems on ftp-master. In any case: Don't worry about this warning. If any advisories happen before 6.2-RELEASE, the appropriate binary updates will be available for 6.2-RC1 via FreeBSD Update. Colin Percival FreeBSD Security Officer