Date: Fri, 12 Mar 2004 00:23:44 +0100 (CET) From: Michael Reifenberger <mike@Reifenberger.com> To: des@freebsd.org Cc: freebsd-current@freebsd.org Subject: -current ssh/Kerberos issues Message-ID: <20040311235346.T79374@fw.reifenberger.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-1779307994-1079047424=:79374
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi,
after making a new -current world on my (client-)Notebook (including the new
openssh package), it seems that ssh/Heimdal/GSSAPI doestn't work any longer.
Symptom: I get asked for an password (but I have an valid forwardable ticket).
'fw' is KDC, 'nihil' is client.
############## Window 1 #####################
(nihil)(root) # ldd /usr/sbin/sshd
/usr/sbin/sshd:
libssh.so.2 => /usr/lib/libssh.so.2 (0x480a7000)
libutil.so.4 => /lib/libutil.so.4 (0x480d6000)
libz.so.2 => /lib/libz.so.2 (0x480e2000)
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x480f0000)
libpam.so.2 => /usr/lib/libpam.so.2 (0x480f8000)
libgssapi.so.7 => /usr/lib/libgssapi.so.7 (0x480ff000)
libkrb5.so.7 => /usr/lib/libkrb5.so.7 (0x4810d000)
libasn1.so.7 => /usr/lib/libasn1.so.7 (0x48149000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x4816f000)
libroken.so.7 => /usr/lib/libroken.so.7 (0x48171000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x4817f000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x4828e000)
libc.so.5 => /lib/libc.so.5 (0x482a7000)
libmd.so.2 => /lib/libmd.so.2 (0x48382000)
(nihil)(root) # sshd -Dde
debug1: sshd version OpenSSH_3.7.1p2 FreeBSD-20040106
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: res_init()
Connection from 10.0.0.1 port 51895
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2
FreeBSD-20040106
debug1: match: OpenSSH_3.7.1p2 FreeBSD-20040106 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 FreeBSD-20040106
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
Address 10.0.0.1 maps to fw.reifenberger.com, but this does not map back to the
address - POSSIBLE BREAKIN ATTEMPT!
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for root from 10.0.0.1 port 51895 ssh2
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "fw.reifenberger.com"
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for root from 10.0.0.1 port 51895 ssh2
################# Window 2 ###################################
(nihil)(root) # kinit
root@REIFENBERGER.COM's Password:
(nihil)(root) # klist -f
Credentials cache: FILE:/tmp/krb5cc_0
Principal: root@REIFENBERGER.COM
Issued Expires Flags Principal
Mar 12 00:02:19 Mar 19 00:02:19 FRIA
krbtgt/REIFENBERGER.COM@REIFENBERGER.COM
(nihil)(root) # ssh fw
(fw)(root) # klist -f
Credentials cache: FILE:/tmp/krb5cc_8Cmyjx
Principal: root@REIFENBERGER.COM
Issued Expires Flags Principal
Mar 12 00:02:57 Mar 19 00:02:19 FfA krbtgt/REIFENBERGER.COM@REIFENBERGER.COM
(fw)(root) # ssh nihil
Password:
...
##################
BTW: on nihil I reverted /usr/sbin/ssh and /usr/lib/libssh.so.2 back to the
previous versions to have outgoing SSO access to fw. Without that
'ssh fw' would have asked for an password too.
BTW2: pam_krb5 doesnt seem to respect the following settings in /etc/krb5.conf:
...
forwardable = true
ticket_lifetime = 1 week
renew_lifetime = 1 month
...
I have them in both '[appdefaults]' and '[libdefaults]' sections.
This can be seen when login via syscons which uses /etc/pam.d/login which
includes /etc/pam.d/system which contains:
...
auth sufficient pam_krb5.so rootok no_warn try_first_pass
...
which leads after login to:
(nihil)(root) # klist -f
Credentials cache: FILE:/tmp/krb5cc_0
Principal: root@REIFENBERGER.COM
Issued Expires Flags Principal
Mar 12 00:16:11 Mar 12 10:16:11 A host/nihil.reifenberger.com@REIFENBERGER.COM
Mar 12 00:16:11 Mar 12 10:16:11 IA krbtgt/REIFENBERGER.COM@REIFENBERGER.COM
Any clues?
Bye/2
---
Michael Reifenberger, Business Development Manager SAP-Basis, Plaut Consulting
Comp: Michael.Reifenberger@plaut.de | Priv: Michael@Reifenberger.com
http://www.plaut.de | http://www.Reifenberger.com
--0-1779307994-1079047424=:79374
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=sshd_config
Content-Transfer-Encoding: BASE64
Content-ID: <20040312002344.X79374@fw.reifenberger.com>
Content-Description:
Content-Disposition: attachment; filename=sshd_config
IwkkT3BlbkJTRDogc3NoZF9jb25maWcsdiAxLjU5IDIwMDIvMDkvMjUgMTE6
MTc6MTYgbWFya3VzIEV4cCAkDQojCSRGcmVlQlNEOiBzcmMvY3J5cHRvL29w
ZW5zc2gvc3NoZF9jb25maWcsdiAxLjMzIDIwMDMvMDkvMjQgMTk6MjA6MjMg
ZGVzIEV4cCAkDQoNCiMgVGhpcyBpcyB0aGUgc3NoZCBzZXJ2ZXIgc3lzdGVt
LXdpZGUgY29uZmlndXJhdGlvbiBmaWxlLiAgU2VlDQojIHNzaGRfY29uZmln
KDUpIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KDQojIFRoaXMgc3NoZCB3YXMg
Y29tcGlsZWQgd2l0aCBQQVRIPS91c3IvYmluOi9iaW46L3Vzci9zYmluOi9z
YmluDQoNCiMgVGhlIHN0cmF0ZWd5IHVzZWQgZm9yIG9wdGlvbnMgaW4gdGhl
IGRlZmF1bHQgc3NoZF9jb25maWcgc2hpcHBlZCB3aXRoDQojIE9wZW5TU0gg
aXMgdG8gc3BlY2lmeSBvcHRpb25zIHdpdGggdGhlaXIgZGVmYXVsdCB2YWx1
ZSB3aGVyZQ0KIyBwb3NzaWJsZSwgYnV0IGxlYXZlIHRoZW0gY29tbWVudGVk
LiAgVW5jb21tZW50ZWQgb3B0aW9ucyBjaGFuZ2UgYQ0KIyBkZWZhdWx0IHZh
bHVlLg0KDQojIE5vdGUgdGhhdCBzb21lIG9mIEZyZWVCU0QncyBkZWZhdWx0
cyBkaWZmZXIgZnJvbSBPcGVuQlNEJ3MsIGFuZA0KIyBGcmVlQlNEIGhhcyBh
IGZldyBhZGRpdGlvbmFsIG9wdGlvbnMuDQoNCiNWZXJzaW9uQWRkZW5kdW0g
RnJlZUJTRC0yMDAzMDkyNA0KDQojUG9ydCAyMg0KI1Byb3RvY29sIDIsMQ0K
I0xpc3RlbkFkZHJlc3MgMC4wLjAuMA0KI0xpc3RlbkFkZHJlc3MgOjoNCg0K
IyBIb3N0S2V5IGZvciBwcm90b2NvbCB2ZXJzaW9uIDENCiNIb3N0S2V5IC9l
dGMvc3NoL3NzaF9ob3N0X2tleQ0KIyBIb3N0S2V5cyBmb3IgcHJvdG9jb2wg
dmVyc2lvbiAyDQojSG9zdEtleSAvZXRjL3NzaC9zc2hfaG9zdF9kc2Ffa2V5
DQoNCiMgTGlmZXRpbWUgYW5kIHNpemUgb2YgZXBoZW1lcmFsIHZlcnNpb24g
MSBzZXJ2ZXIga2V5DQojS2V5UmVnZW5lcmF0aW9uSW50ZXJ2YWwgMzYwMA0K
I1NlcnZlcktleUJpdHMgNzY4DQoNCiMgTG9nZ2luZw0KI29ic29sZXRlcyBR
dWlldE1vZGUgYW5kIEZhc2Npc3RMb2dnaW5nDQojU3lzbG9nRmFjaWxpdHkg
QVVUSA0KI0xvZ0xldmVsIElORk8NCg0KIyBBdXRoZW50aWNhdGlvbjoNCg0K
I0xvZ2luR3JhY2VUaW1lIDEyMA0KUGVybWl0Um9vdExvZ2luIHllcw0KI1N0
cmljdE1vZGVzIHllcw0KDQojUlNBQXV0aGVudGljYXRpb24geWVzDQojUHVi
a2V5QXV0aGVudGljYXRpb24geWVzDQojQXV0aG9yaXplZEtleXNGaWxlCS5z
c2gvYXV0aG9yaXplZF9rZXlzDQoNCiMgcmhvc3RzIGF1dGhlbnRpY2F0aW9u
IHNob3VsZCBub3QgYmUgdXNlZA0KI1Job3N0c0F1dGhlbnRpY2F0aW9uIG5v
DQojIERvbid0IHJlYWQgdGhlIHVzZXIncyB+Ly5yaG9zdHMgYW5kIH4vLnNo
b3N0cyBmaWxlcw0KI0lnbm9yZVJob3N0cyB5ZXMNCiMgRm9yIHRoaXMgdG8g
d29yayB5b3Ugd2lsbCBhbHNvIG5lZWQgaG9zdCBrZXlzIGluIC9ldGMvc3No
L3NzaF9rbm93bl9ob3N0cw0KI1Job3N0c1JTQUF1dGhlbnRpY2F0aW9uIG5v
DQojIHNpbWlsYXIgZm9yIHByb3RvY29sIHZlcnNpb24gMg0KI0hvc3RiYXNl
ZEF1dGhlbnRpY2F0aW9uIG5vDQojIENoYW5nZSB0byB5ZXMgaWYgeW91IGRv
bid0IHRydXN0IH4vLnNzaC9rbm93bl9ob3N0cyBmb3INCiMgUmhvc3RzUlNB
QXV0aGVudGljYXRpb24gYW5kIEhvc3RiYXNlZEF1dGhlbnRpY2F0aW9uDQoj
SWdub3JlVXNlcktub3duSG9zdHMgbm8NCg0KIyBUbyBkaXNhYmxlIHR1bm5l
bGVkIGNsZWFyIHRleHQgcGFzc3dvcmRzLCBjaGFuZ2UgdG8gbm8gaGVyZSEN
CiNQYXNzd29yZEF1dGhlbnRpY2F0aW9uIHllcw0KI1Blcm1pdEVtcHR5UGFz
c3dvcmRzIG5vDQoNCiMgQ2hhbmdlIHRvIG5vIHRvIGRpc2FibGUgUEFNIGF1
dGhlbnRpY2F0aW9uDQojQ2hhbGxlbmdlUmVzcG9uc2VBdXRoZW50aWNhdGlv
biB5ZXMNCg0KIyBLZXJiZXJvcyBvcHRpb25zDQpLZXJiZXJvc0F1dGhlbnRp
Y2F0aW9uIHllcw0KI0tlcmJlcm9zT3JMb2NhbFBhc3N3ZCB5ZXMNCiNLZXJi
ZXJvc1RpY2tldENsZWFudXAgeWVzDQoNCiMgR1NTQVBJIG9wdGlvbnMNCkdT
U0FQSUF1dGhlbnRpY2F0aW9uIHllcw0KR1NTQVBJQ2xlYW51cENyZWRzIHll
cw0KDQojQUZTVG9rZW5QYXNzaW5nIG5vDQoNCiMgS2VyYmVyb3MgVEdUIFBh
c3Npbmcgb25seSB3b3JrcyB3aXRoIHRoZSBBRlMga2FzZXJ2ZXINCiNLZXJi
ZXJvc1RndFBhc3Npbmcgbm8NCg0KI1gxMUZvcndhcmRpbmcgeWVzDQojWDEx
RGlzcGxheU9mZnNldCAxMA0KI1gxMVVzZUxvY2FsaG9zdCB5ZXMNCiNQcmlu
dE1vdGQgeWVzDQojUHJpbnRMYXN0TG9nIHllcw0KI0tlZXBBbGl2ZSB5ZXMN
CiNVc2VMb2dpbiBubw0KI1VzZVByaXZpbGVnZVNlcGFyYXRpb24geWVzDQoj
UGVybWl0VXNlckVudmlyb25tZW50IG5vDQojQ29tcHJlc3Npb24geWVzDQoN
CiNNYXhTdGFydHVwcyAxMA0KIyBubyBkZWZhdWx0IGJhbm5lciBwYXRoDQoj
QmFubmVyIC9zb21lL3BhdGgNCiNWZXJpZnlSZXZlcnNlTWFwcGluZyBubw0K
DQojIG92ZXJyaWRlIGRlZmF1bHQgb2Ygbm8gc3Vic3lzdGVtcw0KU3Vic3lz
dGVtCXNmdHAJL3Vzci9saWJleGVjL3NmdHAtc2VydmVyDQo=
--0-1779307994-1079047424=:79374
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=ssh_config
Content-Transfer-Encoding: BASE64
Content-ID: <20040312002344.H79374@fw.reifenberger.com>
Content-Description:
Content-Disposition: attachment; filename=ssh_config
IwkkT3BlbkJTRDogc3NoX2NvbmZpZyx2IDEuMTYgMjAwMi8wNy8wMyAxNDoy
MTowNSBtYXJrdXMgRXhwICQNCiMJJEZyZWVCU0Q6IHNyYy9jcnlwdG8vb3Bl
bnNzaC9zc2hfY29uZmlnLHYgMS4yMiAyMDAzLzA5LzI0IDE5OjIwOjIzIGRl
cyBFeHAgJA0KDQojIFRoaXMgaXMgdGhlIHNzaCBjbGllbnQgc3lzdGVtLXdp
ZGUgY29uZmlndXJhdGlvbiBmaWxlLiAgU2VlDQojIHNzaF9jb25maWcoNSkg
Zm9yIG1vcmUgaW5mb3JtYXRpb24uICBUaGlzIGZpbGUgcHJvdmlkZXMgZGVm
YXVsdHMgZm9yDQojIHVzZXJzLCBhbmQgdGhlIHZhbHVlcyBjYW4gYmUgY2hh
bmdlZCBpbiBwZXItdXNlciBjb25maWd1cmF0aW9uIGZpbGVzDQojIG9yIG9u
IHRoZSBjb21tYW5kIGxpbmUuDQoNCiMgQ29uZmlndXJhdGlvbiBkYXRhIGlz
IHBhcnNlZCBhcyBmb2xsb3dzOg0KIyAgMS4gY29tbWFuZCBsaW5lIG9wdGlv
bnMNCiMgIDIuIHVzZXItc3BlY2lmaWMgZmlsZQ0KIyAgMy4gc3lzdGVtLXdp
ZGUgZmlsZQ0KIyBBbnkgY29uZmlndXJhdGlvbiB2YWx1ZSBpcyBvbmx5IGNo
YW5nZWQgdGhlIGZpcnN0IHRpbWUgaXQgaXMgc2V0Lg0KIyBUaHVzLCBob3N0
LXNwZWNpZmljIGRlZmluaXRpb25zIHNob3VsZCBiZSBhdCB0aGUgYmVnaW5u
aW5nIG9mIHRoZQ0KIyBjb25maWd1cmF0aW9uIGZpbGUsIGFuZCBkZWZhdWx0
cyBhdCB0aGUgZW5kLg0KDQojIFNpdGUtd2lkZSBkZWZhdWx0cyBmb3IgdmFy
aW91cyBvcHRpb25zDQoNCiMgSG9zdCAqDQojICAgRm9yd2FyZEFnZW50IG5v
DQojICAgRm9yd2FyZFgxMSBubw0KIyAgIFJob3N0c0F1dGhlbnRpY2F0aW9u
IG5vDQojICAgUmhvc3RzUlNBQXV0aGVudGljYXRpb24gbm8NCiMgICBSU0FB
dXRoZW50aWNhdGlvbiB5ZXMNCiMgICBQYXNzd29yZEF1dGhlbnRpY2F0aW9u
IHllcw0KIyAgIEhvc3RiYXNlZEF1dGhlbnRpY2F0aW9uIG5vDQojICAgQmF0
Y2hNb2RlIG5vDQojICAgQ2hlY2tIb3N0SVAgbm8NCiMgICBTdHJpY3RIb3N0
S2V5Q2hlY2tpbmcgYXNrDQojICAgSWRlbnRpdHlGaWxlIH4vLnNzaC9pZGVu
dGl0eQ0KIyAgIElkZW50aXR5RmlsZSB+Ly5zc2gvaWRfcnNhDQojICAgSWRl
bnRpdHlGaWxlIH4vLnNzaC9pZF9kc2ENCiMgICBQb3J0IDIyDQojICAgUHJv
dG9jb2wgMiwxDQojICAgQ2lwaGVyIDNkZXMNCiMgICBDaXBoZXJzIGFlczEy
OC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2JjLGFyY2Zv
dXIsYWVzMTkyLWNiYyxhZXMyNTYtY2JjDQojICAgRXNjYXBlQ2hhciB+DQoj
ICAgVmVyc2lvbkFkZGVuZHVtIEZyZWVCU0QtMjAwMzA5MjQNCkdTU0FQSUF1
dGhlbnRpY2F0aW9uIHllcw0KR1NTQVBJRGVsZWdhdGVDcmVkZW50aWFscyB5
ZXMNCg==
--0-1779307994-1079047424=:79374
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="krb5.conf"
Content-Transfer-Encoding: BASE64
Content-ID: <20040312002344.Q79374@fw.reifenberger.com>
Content-Description:
Content-Disposition: attachment; filename="krb5.conf"
W2FwcGRlZmF1bHRzXQ0KCWZvcndhcmRhYmxlID0gdHJ1ZQ0KCXRpY2tldF9s
aWZldGltZSA9IDEgd2Vlaw0KCXJlbmV3X2xpZmV0aW1lID0gMSBtb250aA0K
CQ0KW2xpYmRlZmF1bHRzXQ0KCWRlZmF1bHRfZXR5cGVzID0gZGVzLWNiYy1j
cmMNCglkZWZhdWx0X2V0eXBlc19kZXMgPSBkZXMtY2JjLWNyYw0KCWRlZmF1
bHRfcmVhbG0gPSBSRUlGRU5CRVJHRVIuQ09NDQoJZm9yd2FyZGFibGUgPSB0
cnVlDQoJdGlja2V0X2xpZmV0aW1lID0gMSB3ZWVrDQoJcmVuZXdfbGlmZXRp
bWUgPSAxIG1vbnRoDQoJY2xvY2tza2V3ID0gMzAwDQoJDQpbZG9tYWluX3Jl
YWxtXQ0KCS5yZWlmZW5iZXJnZXIuY29tID0gUkVJRkVOQkVSR0VSLkNPTQ0K
DQpbcmVhbG1zXQ0KCVJFSUZFTkJFUkdFUi5DT00gPSB7DQoJCWtkYyA9IGZ3
LnJlaWZlbmJlcmdlci5jb20NCgkJa3Bhc3N3ZF9zZXJ2ZXIgPSBmdy5yZWlm
ZW5iZXJnZXIuY29tDQoJCWFkbWluX3NlcnZlciA9IGZ3LnJlaWZlbmJlcmdl
ci5jb20NCgl9DQoNCltrZGNdDQoJZGF0YWJhc2UgPSB7DQoJCWFjbF9maWxl
ID0gL3Zhci9oZWltZGFsL2thZG1pbmQuYWNsDQoJCW1rZXlfZmlsZSA9IC92
YXIvaGVpbWRhbC9tLWtleQ0KCX0NCg==
--0-1779307994-1079047424=:79374--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040311235346.T79374>