From owner-freebsd-security Thu Feb 14 1:48:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id AA76A37B400 for ; Thu, 14 Feb 2002 01:48:50 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 16bIVT-00060x-00 for security@freebsd.org; Thu, 14 Feb 2002 11:48:47 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id LAA03404 for ; Thu, 14 Feb 2002 11:48:46 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 3169; Thu Feb 14 11:47:13 2002 Received: from localhost ([127.0.0.1]) by yacko.ops.uunet.co.za with esmtp (Exim 3.31 #1) id 16bITx-0001Q0-00 for security@freebsd.org; Thu, 14 Feb 2002 11:47:13 +0200 Date: Thu, 14 Feb 2002 11:47:13 +0200 (SAST) From: Gareth Hopkins X-X-Sender: ghopkins@yacko.fw.uunet.co.za To: security@freebsd.org Subject: Problems with openssh, kerberos5 and PAM Message-ID: <20020214111521.S4035-100000@yacko.fw.uunet.co.za> X-Cell: +27 82 389 5389 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am having the following problem with openssh, kerberos5 and pam authentication. SSH version is OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f On the server side when someone logs in with no kerberos tickets and enters their kerberos password the sshd daemon dies with the following error [root@server]/var/mail $ sshd -d debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from servername.foo.bar port 59250 Connection from x.x.x.x port 59250 debug1: Client protocol version 1.5; client software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "ghopkins" debug1: Attempting authentication for ghopkins. debug1: temporarily_use_uid: 1000/20 (e=0) debug1: restore_uid Failed rsa for ghopkins from x.x.x.x port 59250 debug1: PAM Password authentication accepted for user "ghopkins" Accepted password for ghopkins from x.x.x.x port 59250 debug1: PAM setting rhost to "servername.foo.bar" debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/ttypc" debug1: do_pam_session: euid 0, uid 0 debug1: PAM establishing creds Bus error /etc/pam.conf has the following sshd auth sufficient pam_krb5.so try_first_pass sshd auth required pam_unix.so sshd account sufficient pam_krb5.so try_first_pass sshd account required pam_unix.so sshd session sufficient pam_krb5.so try_first_pass sshd session required pam_unix.so Any ideas what the problem could be? --- Gareth Hopkins Server Operations UUNET SA, a WorldCom Company (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.389.5389 http://www.uunet.co.za 08600 UUNET (08600 88638) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message