From owner-freebsd-current@FreeBSD.ORG Thu Mar 11 15:30:05 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEB5C16A4CE; Thu, 11 Mar 2004 15:30:05 -0800 (PST) Received: from mailout11.sul.t-online.com (mailout11.sul.t-online.com [194.25.134.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4E6B43D39; Thu, 11 Mar 2004 15:30:04 -0800 (PST) (envelope-from mike@reifenberger.com) Received: from fwd07.aul.t-online.de by mailout11.sul.t-online.com with smtp id 1B1ZWq-00069x-04; Fri, 12 Mar 2004 00:23:52 +0100 Received: from fw.reifenberger.com (EkNnXEZVoeggaaJVEIIllECHS8qH8W-43VMcdN7LxEneUwkcJ+Zc0A@[217.232.216.39]) by fmrl07.sul.t-online.com with esmtp id 1B1ZWo-0ooCHY0; Fri, 12 Mar 2004 00:23:50 +0100 Received: from localhost (mike@localhost)i2BNNiaF079504; Fri, 12 Mar 2004 00:23:44 +0100 (CET) (envelope-from mike@reifenberger.com) X-Authentication-Warning: fw.reifenberger.com: mike owned process doing -bs Date: Fri, 12 Mar 2004 00:23:44 +0100 (CET) From: Michael Reifenberger To: des@freebsd.org Message-ID: <20040311235346.T79374@fw.reifenberger.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1779307994-1079047424=:79374" X-Seen: false X-ID: EkNnXEZVoeggaaJVEIIllECHS8qH8W-43VMcdN7LxEneUwkcJ+Zc0A@t-dialin.net cc: freebsd-current@freebsd.org Subject: -current ssh/Kerberos issues X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2004 23:30:05 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1779307994-1079047424=:79374 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, after making a new -current world on my (client-)Notebook (including the new openssh package), it seems that ssh/Heimdal/GSSAPI doestn't work any longer. Symptom: I get asked for an password (but I have an valid forwardable ticket). 'fw' is KDC, 'nihil' is client. ############## Window 1 ##################### (nihil)(root) # ldd /usr/sbin/sshd /usr/sbin/sshd: libssh.so.2 => /usr/lib/libssh.so.2 (0x480a7000) libutil.so.4 => /lib/libutil.so.4 (0x480d6000) libz.so.2 => /lib/libz.so.2 (0x480e2000) libwrap.so.3 => /usr/lib/libwrap.so.3 (0x480f0000) libpam.so.2 => /usr/lib/libpam.so.2 (0x480f8000) libgssapi.so.7 => /usr/lib/libgssapi.so.7 (0x480ff000) libkrb5.so.7 => /usr/lib/libkrb5.so.7 (0x4810d000) libasn1.so.7 => /usr/lib/libasn1.so.7 (0x48149000) libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x4816f000) libroken.so.7 => /usr/lib/libroken.so.7 (0x48171000) libcrypto.so.3 => /lib/libcrypto.so.3 (0x4817f000) libcrypt.so.2 => /lib/libcrypt.so.2 (0x4828e000) libc.so.5 => /lib/libc.so.5 (0x482a7000) libmd.so.2 => /lib/libmd.so.2 (0x48382000) (nihil)(root) # sshd -Dde debug1: sshd version OpenSSH_3.7.1p2 FreeBSD-20040106 debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. debug1: res_init() Connection from 10.0.0.1 port 51895 debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2 FreeBSD-20040106 debug1: match: OpenSSH_3.7.1p2 FreeBSD-20040106 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 FreeBSD-20040106 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done Address 10.0.0.1 maps to fw.reifenberger.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 Failed none for root from 10.0.0.1 port 51895 ssh2 debug1: PAM: initializing for "root" debug1: PAM: setting PAM_RHOST to "fw.reifenberger.com" debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for root from 10.0.0.1 port 51895 ssh2 ################# Window 2 ################################### (nihil)(root) # kinit root@REIFENBERGER.COM's Password: (nihil)(root) # klist -f Credentials cache: FILE:/tmp/krb5cc_0 Principal: root@REIFENBERGER.COM Issued Expires Flags Principal Mar 12 00:02:19 Mar 19 00:02:19 FRIA krbtgt/REIFENBERGER.COM@REIFENBERGER.COM (nihil)(root) # ssh fw (fw)(root) # klist -f Credentials cache: FILE:/tmp/krb5cc_8Cmyjx Principal: root@REIFENBERGER.COM Issued Expires Flags Principal Mar 12 00:02:57 Mar 19 00:02:19 FfA krbtgt/REIFENBERGER.COM@REIFENBERGER.COM (fw)(root) # ssh nihil Password: ... ################## BTW: on nihil I reverted /usr/sbin/ssh and /usr/lib/libssh.so.2 back to the previous versions to have outgoing SSO access to fw. Without that 'ssh fw' would have asked for an password too. BTW2: pam_krb5 doesnt seem to respect the following settings in /etc/krb5.conf: ... forwardable = true ticket_lifetime = 1 week renew_lifetime = 1 month ... I have them in both '[appdefaults]' and '[libdefaults]' sections. This can be seen when login via syscons which uses /etc/pam.d/login which includes /etc/pam.d/system which contains: ... auth sufficient pam_krb5.so rootok no_warn try_first_pass ... which leads after login to: (nihil)(root) # klist -f Credentials cache: FILE:/tmp/krb5cc_0 Principal: root@REIFENBERGER.COM Issued Expires Flags Principal Mar 12 00:16:11 Mar 12 10:16:11 A host/nihil.reifenberger.com@REIFENBERGER.COM Mar 12 00:16:11 Mar 12 10:16:11 IA krbtgt/REIFENBERGER.COM@REIFENBERGER.COM Any clues? Bye/2 --- Michael Reifenberger, Business Development Manager SAP-Basis, Plaut Consulting Comp: Michael.Reifenberger@plaut.de | Priv: Michael@Reifenberger.com http://www.plaut.de | http://www.Reifenberger.com --0-1779307994-1079047424=:79374 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=sshd_config Content-Transfer-Encoding: BASE64 Content-ID: <20040312002344.X79374@fw.reifenberger.com> Content-Description: Content-Disposition: attachment; filename=sshd_config IwkkT3BlbkJTRDogc3NoZF9jb25maWcsdiAxLjU5IDIwMDIvMDkvMjUgMTE6 MTc6MTYgbWFya3VzIEV4cCAkDQojCSRGcmVlQlNEOiBzcmMvY3J5cHRvL29w ZW5zc2gvc3NoZF9jb25maWcsdiAxLjMzIDIwMDMvMDkvMjQgMTk6MjA6MjMg ZGVzIEV4cCAkDQoNCiMgVGhpcyBpcyB0aGUgc3NoZCBzZXJ2ZXIgc3lzdGVt LXdpZGUgY29uZmlndXJhdGlvbiBmaWxlLiAgU2VlDQojIHNzaGRfY29uZmln KDUpIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KDQojIFRoaXMgc3NoZCB3YXMg Y29tcGlsZWQgd2l0aCBQQVRIPS91c3IvYmluOi9iaW46L3Vzci9zYmluOi9z YmluDQoNCiMgVGhlIHN0cmF0ZWd5IHVzZWQgZm9yIG9wdGlvbnMgaW4gdGhl IGRlZmF1bHQgc3NoZF9jb25maWcgc2hpcHBlZCB3aXRoDQojIE9wZW5TU0gg aXMgdG8gc3BlY2lmeSBvcHRpb25zIHdpdGggdGhlaXIgZGVmYXVsdCB2YWx1 ZSB3aGVyZQ0KIyBwb3NzaWJsZSwgYnV0IGxlYXZlIHRoZW0gY29tbWVudGVk LiAgVW5jb21tZW50ZWQgb3B0aW9ucyBjaGFuZ2UgYQ0KIyBkZWZhdWx0IHZh bHVlLg0KDQojIE5vdGUgdGhhdCBzb21lIG9mIEZyZWVCU0QncyBkZWZhdWx0 cyBkaWZmZXIgZnJvbSBPcGVuQlNEJ3MsIGFuZA0KIyBGcmVlQlNEIGhhcyBh IGZldyBhZGRpdGlvbmFsIG9wdGlvbnMuDQoNCiNWZXJzaW9uQWRkZW5kdW0g RnJlZUJTRC0yMDAzMDkyNA0KDQojUG9ydCAyMg0KI1Byb3RvY29sIDIsMQ0K I0xpc3RlbkFkZHJlc3MgMC4wLjAuMA0KI0xpc3RlbkFkZHJlc3MgOjoNCg0K IyBIb3N0S2V5IGZvciBwcm90b2NvbCB2ZXJzaW9uIDENCiNIb3N0S2V5IC9l dGMvc3NoL3NzaF9ob3N0X2tleQ0KIyBIb3N0S2V5cyBmb3IgcHJvdG9jb2wg dmVyc2lvbiAyDQojSG9zdEtleSAvZXRjL3NzaC9zc2hfaG9zdF9kc2Ffa2V5 DQoNCiMgTGlmZXRpbWUgYW5kIHNpemUgb2YgZXBoZW1lcmFsIHZlcnNpb24g MSBzZXJ2ZXIga2V5DQojS2V5UmVnZW5lcmF0aW9uSW50ZXJ2YWwgMzYwMA0K I1NlcnZlcktleUJpdHMgNzY4DQoNCiMgTG9nZ2luZw0KI29ic29sZXRlcyBR dWlldE1vZGUgYW5kIEZhc2Npc3RMb2dnaW5nDQojU3lzbG9nRmFjaWxpdHkg QVVUSA0KI0xvZ0xldmVsIElORk8NCg0KIyBBdXRoZW50aWNhdGlvbjoNCg0K I0xvZ2luR3JhY2VUaW1lIDEyMA0KUGVybWl0Um9vdExvZ2luIHllcw0KI1N0 cmljdE1vZGVzIHllcw0KDQojUlNBQXV0aGVudGljYXRpb24geWVzDQojUHVi a2V5QXV0aGVudGljYXRpb24geWVzDQojQXV0aG9yaXplZEtleXNGaWxlCS5z c2gvYXV0aG9yaXplZF9rZXlzDQoNCiMgcmhvc3RzIGF1dGhlbnRpY2F0aW9u IHNob3VsZCBub3QgYmUgdXNlZA0KI1Job3N0c0F1dGhlbnRpY2F0aW9uIG5v DQojIERvbid0IHJlYWQgdGhlIHVzZXIncyB+Ly5yaG9zdHMgYW5kIH4vLnNo b3N0cyBmaWxlcw0KI0lnbm9yZVJob3N0cyB5ZXMNCiMgRm9yIHRoaXMgdG8g d29yayB5b3Ugd2lsbCBhbHNvIG5lZWQgaG9zdCBrZXlzIGluIC9ldGMvc3No L3NzaF9rbm93bl9ob3N0cw0KI1Job3N0c1JTQUF1dGhlbnRpY2F0aW9uIG5v DQojIHNpbWlsYXIgZm9yIHByb3RvY29sIHZlcnNpb24gMg0KI0hvc3RiYXNl ZEF1dGhlbnRpY2F0aW9uIG5vDQojIENoYW5nZSB0byB5ZXMgaWYgeW91IGRv bid0IHRydXN0IH4vLnNzaC9rbm93bl9ob3N0cyBmb3INCiMgUmhvc3RzUlNB QXV0aGVudGljYXRpb24gYW5kIEhvc3RiYXNlZEF1dGhlbnRpY2F0aW9uDQoj SWdub3JlVXNlcktub3duSG9zdHMgbm8NCg0KIyBUbyBkaXNhYmxlIHR1bm5l bGVkIGNsZWFyIHRleHQgcGFzc3dvcmRzLCBjaGFuZ2UgdG8gbm8gaGVyZSEN CiNQYXNzd29yZEF1dGhlbnRpY2F0aW9uIHllcw0KI1Blcm1pdEVtcHR5UGFz c3dvcmRzIG5vDQoNCiMgQ2hhbmdlIHRvIG5vIHRvIGRpc2FibGUgUEFNIGF1 dGhlbnRpY2F0aW9uDQojQ2hhbGxlbmdlUmVzcG9uc2VBdXRoZW50aWNhdGlv biB5ZXMNCg0KIyBLZXJiZXJvcyBvcHRpb25zDQpLZXJiZXJvc0F1dGhlbnRp Y2F0aW9uIHllcw0KI0tlcmJlcm9zT3JMb2NhbFBhc3N3ZCB5ZXMNCiNLZXJi ZXJvc1RpY2tldENsZWFudXAgeWVzDQoNCiMgR1NTQVBJIG9wdGlvbnMNCkdT U0FQSUF1dGhlbnRpY2F0aW9uIHllcw0KR1NTQVBJQ2xlYW51cENyZWRzIHll cw0KDQojQUZTVG9rZW5QYXNzaW5nIG5vDQoNCiMgS2VyYmVyb3MgVEdUIFBh c3Npbmcgb25seSB3b3JrcyB3aXRoIHRoZSBBRlMga2FzZXJ2ZXINCiNLZXJi ZXJvc1RndFBhc3Npbmcgbm8NCg0KI1gxMUZvcndhcmRpbmcgeWVzDQojWDEx RGlzcGxheU9mZnNldCAxMA0KI1gxMVVzZUxvY2FsaG9zdCB5ZXMNCiNQcmlu dE1vdGQgeWVzDQojUHJpbnRMYXN0TG9nIHllcw0KI0tlZXBBbGl2ZSB5ZXMN CiNVc2VMb2dpbiBubw0KI1VzZVByaXZpbGVnZVNlcGFyYXRpb24geWVzDQoj UGVybWl0VXNlckVudmlyb25tZW50IG5vDQojQ29tcHJlc3Npb24geWVzDQoN CiNNYXhTdGFydHVwcyAxMA0KIyBubyBkZWZhdWx0IGJhbm5lciBwYXRoDQoj QmFubmVyIC9zb21lL3BhdGgNCiNWZXJpZnlSZXZlcnNlTWFwcGluZyBubw0K DQojIG92ZXJyaWRlIGRlZmF1bHQgb2Ygbm8gc3Vic3lzdGVtcw0KU3Vic3lz dGVtCXNmdHAJL3Vzci9saWJleGVjL3NmdHAtc2VydmVyDQo= --0-1779307994-1079047424=:79374 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=ssh_config Content-Transfer-Encoding: BASE64 Content-ID: <20040312002344.H79374@fw.reifenberger.com> Content-Description: Content-Disposition: attachment; filename=ssh_config IwkkT3BlbkJTRDogc3NoX2NvbmZpZyx2IDEuMTYgMjAwMi8wNy8wMyAxNDoy MTowNSBtYXJrdXMgRXhwICQNCiMJJEZyZWVCU0Q6IHNyYy9jcnlwdG8vb3Bl bnNzaC9zc2hfY29uZmlnLHYgMS4yMiAyMDAzLzA5LzI0IDE5OjIwOjIzIGRl cyBFeHAgJA0KDQojIFRoaXMgaXMgdGhlIHNzaCBjbGllbnQgc3lzdGVtLXdp ZGUgY29uZmlndXJhdGlvbiBmaWxlLiAgU2VlDQojIHNzaF9jb25maWcoNSkg Zm9yIG1vcmUgaW5mb3JtYXRpb24uICBUaGlzIGZpbGUgcHJvdmlkZXMgZGVm YXVsdHMgZm9yDQojIHVzZXJzLCBhbmQgdGhlIHZhbHVlcyBjYW4gYmUgY2hh bmdlZCBpbiBwZXItdXNlciBjb25maWd1cmF0aW9uIGZpbGVzDQojIG9yIG9u IHRoZSBjb21tYW5kIGxpbmUuDQoNCiMgQ29uZmlndXJhdGlvbiBkYXRhIGlz IHBhcnNlZCBhcyBmb2xsb3dzOg0KIyAgMS4gY29tbWFuZCBsaW5lIG9wdGlv bnMNCiMgIDIuIHVzZXItc3BlY2lmaWMgZmlsZQ0KIyAgMy4gc3lzdGVtLXdp ZGUgZmlsZQ0KIyBBbnkgY29uZmlndXJhdGlvbiB2YWx1ZSBpcyBvbmx5IGNo YW5nZWQgdGhlIGZpcnN0IHRpbWUgaXQgaXMgc2V0Lg0KIyBUaHVzLCBob3N0 LXNwZWNpZmljIGRlZmluaXRpb25zIHNob3VsZCBiZSBhdCB0aGUgYmVnaW5u aW5nIG9mIHRoZQ0KIyBjb25maWd1cmF0aW9uIGZpbGUsIGFuZCBkZWZhdWx0 cyBhdCB0aGUgZW5kLg0KDQojIFNpdGUtd2lkZSBkZWZhdWx0cyBmb3IgdmFy aW91cyBvcHRpb25zDQoNCiMgSG9zdCAqDQojICAgRm9yd2FyZEFnZW50IG5v DQojICAgRm9yd2FyZFgxMSBubw0KIyAgIFJob3N0c0F1dGhlbnRpY2F0aW9u IG5vDQojICAgUmhvc3RzUlNBQXV0aGVudGljYXRpb24gbm8NCiMgICBSU0FB dXRoZW50aWNhdGlvbiB5ZXMNCiMgICBQYXNzd29yZEF1dGhlbnRpY2F0aW9u IHllcw0KIyAgIEhvc3RiYXNlZEF1dGhlbnRpY2F0aW9uIG5vDQojICAgQmF0 Y2hNb2RlIG5vDQojICAgQ2hlY2tIb3N0SVAgbm8NCiMgICBTdHJpY3RIb3N0 S2V5Q2hlY2tpbmcgYXNrDQojICAgSWRlbnRpdHlGaWxlIH4vLnNzaC9pZGVu dGl0eQ0KIyAgIElkZW50aXR5RmlsZSB+Ly5zc2gvaWRfcnNhDQojICAgSWRl bnRpdHlGaWxlIH4vLnNzaC9pZF9kc2ENCiMgICBQb3J0IDIyDQojICAgUHJv dG9jb2wgMiwxDQojICAgQ2lwaGVyIDNkZXMNCiMgICBDaXBoZXJzIGFlczEy OC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2JjLGFyY2Zv dXIsYWVzMTkyLWNiYyxhZXMyNTYtY2JjDQojICAgRXNjYXBlQ2hhciB+DQoj ICAgVmVyc2lvbkFkZGVuZHVtIEZyZWVCU0QtMjAwMzA5MjQNCkdTU0FQSUF1 dGhlbnRpY2F0aW9uIHllcw0KR1NTQVBJRGVsZWdhdGVDcmVkZW50aWFscyB5 ZXMNCg== --0-1779307994-1079047424=:79374 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="krb5.conf" Content-Transfer-Encoding: BASE64 Content-ID: <20040312002344.Q79374@fw.reifenberger.com> Content-Description: Content-Disposition: attachment; filename="krb5.conf" W2FwcGRlZmF1bHRzXQ0KCWZvcndhcmRhYmxlID0gdHJ1ZQ0KCXRpY2tldF9s aWZldGltZSA9IDEgd2Vlaw0KCXJlbmV3X2xpZmV0aW1lID0gMSBtb250aA0K CQ0KW2xpYmRlZmF1bHRzXQ0KCWRlZmF1bHRfZXR5cGVzID0gZGVzLWNiYy1j cmMNCglkZWZhdWx0X2V0eXBlc19kZXMgPSBkZXMtY2JjLWNyYw0KCWRlZmF1 bHRfcmVhbG0gPSBSRUlGRU5CRVJHRVIuQ09NDQoJZm9yd2FyZGFibGUgPSB0 cnVlDQoJdGlja2V0X2xpZmV0aW1lID0gMSB3ZWVrDQoJcmVuZXdfbGlmZXRp bWUgPSAxIG1vbnRoDQoJY2xvY2tza2V3ID0gMzAwDQoJDQpbZG9tYWluX3Jl YWxtXQ0KCS5yZWlmZW5iZXJnZXIuY29tID0gUkVJRkVOQkVSR0VSLkNPTQ0K DQpbcmVhbG1zXQ0KCVJFSUZFTkJFUkdFUi5DT00gPSB7DQoJCWtkYyA9IGZ3 LnJlaWZlbmJlcmdlci5jb20NCgkJa3Bhc3N3ZF9zZXJ2ZXIgPSBmdy5yZWlm ZW5iZXJnZXIuY29tDQoJCWFkbWluX3NlcnZlciA9IGZ3LnJlaWZlbmJlcmdl ci5jb20NCgl9DQoNCltrZGNdDQoJZGF0YWJhc2UgPSB7DQoJCWFjbF9maWxl ID0gL3Zhci9oZWltZGFsL2thZG1pbmQuYWNsDQoJCW1rZXlfZmlsZSA9IC92 YXIvaGVpbWRhbC9tLWtleQ0KCX0NCg== --0-1779307994-1079047424=:79374--