Date: Tue, 29 Jan 2002 01:48:08 -0800 (PST) From: Steven Enderle <enderle@mdn.de> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/34401: ssh & kerberos IV don't work together Message-ID: <200201290948.g0T9m8T22005@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 34401 >Category: misc >Synopsis: ssh & kerberos IV don't work together >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 29 01:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Steven Enderle >Release: FreeBSD 4.5-RELEASE >Organization: mdn Hübner GmbH >Environment: Serveral 4.5-RELEASE machines, but that problem existed in 4.4-RELEASE also >Description: ssh(d?) doesn't make use of kerberosIV on FreeBSD, even if MAKE_KERBEROS4= yes is set in make.conf. Kerberos is working fine in our network, we are using two openbsd 2.7 boxes as master and slave. I want sshd to use kerberos for auth. I currently just does it when configured via pam to do so, but thats a not so nice way, because it asks me for my password all the time. lets see... first, i will logon from FreeBSD 4.5 to OpenBSD 2.9: FreeBSD::/home/enderle % ssh -V OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f FreeBSD::/home/enderle % uname -a FreeBSD mydomain 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Jan 27 15:46:39 CET 2002 enderle@mydomain:/usr/export/src/sys/compile/BSD01 i386 FreeBSD::/home/enderle % ssh -v OpenBSD OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1 debug1: Connecting to OpenBSD [ip] port 22. debug1: temporarily_use_uid: 1001/20 (e=1001) debug1: restore_uid debug1: temporarily_use_uid: 1001/20 (e=1001) debug1: restore_uid debug1: Connection established. debug1: identity file /home/enderle/.ssh/identity type -1 debug1: identity file /home/enderle/.ssh/id_rsa type -1 debug1: identity file /home/enderle/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 debug1: match: OpenSSH_2.9 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'OpenBSD' is known and matches the RSA1 host key. debug1: Found key in /home/enderle/.ssh/known_hosts:22 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying Kerberos authentication. debug1: Kerberos V4 authentication accepted. debug1: Kerberos V4 challenge successful. debug1: Requesting pty. debug1: Requesting shell. debug1: Entering interactive session. Last login: Tue Jan 29 10:37:05 2002 from workstation OpenBSD 2.9-stable (NET) #3: Mon May 28 17:02:52 CEST 2001 Welcome to OpenBSD: The proactively secure Unix-like operating system. OpenBSD::/home/enderle % Great! We logged in with a working kerberosIV authentification. now lets try the same with another FreeBSD 4.5 box: FreeBSD::/home/enderle % ssh -v FreeBSD2 OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1 debug1: Connecting to FreeBSD2 [ip] port 22. debug1: temporarily_use_uid: 1001/20 (e=1001) debug1: restore_uid debug1: temporarily_use_uid: 1001/20 (e=1001) debug1: restore_uid debug1: Connection established. debug1: identity file /home/enderle/.ssh/identity type -1 debug1: identity file /home/enderle/.ssh/id_rsa type -1 debug1: identity file /home/enderle/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'FreeBSD2' is known and matches the RSA1 host key. debug1: Found key in /home/enderle/.ssh/known_hosts:18 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. enderle@FreeBSD2's password: it doesn't seem to know kerberosIV... Kerberos is enabled and working fine on all the systems. I think sshd is just not aware of that, because if i uncoment the Kerberos Options, which are also enabled on OpenBSD, the following happens: FreeBSD::/home/enderle # sshd /etc/ssh/sshd_config: line 56: Bad configuration option: KerberosOrLocalPasswd /etc/ssh/sshd_config: line 57: Bad configuration option: AFSTokenPassing /etc/ssh/sshd_config: line 58: Bad configuration option: KerberosTicketCleanup /etc/ssh/sshd_config: terminating, 3 bad configuration options FreeBSD::/home/enderle # ldd =sshd /usr/sbin/sshd: libkrb.so.3 => /usr/lib/libkrb.so.3 (0x2809a000) libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x280b3000) libopie.so.2 => /usr/lib/libopie.so.2 (0x280b5000) libmd.so.2 => /usr/lib/libmd.so.2 (0x280be000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280c7000) libcrypto.so.2 => /usr/lib/libcrypto.so.2 (0x280e0000) libutil.so.3 => /usr/lib/libutil.so.3 (0x28198000) libz.so.2 => /usr/lib/libz.so.2 (0x281a1000) libwrap.so.3 => /usr/lib/libwrap.so.3 (0x281ae000) libpam.so.1 => /usr/lib/libpam.so.1 (0x281b6000) libc.so.4 => /usr/lib/libc.so.4 (0x281bf000) Ok, now what do you say about that? I hope you may help me fix that, its realy annoing to enter my password 50 times a day. >How-To-Repeat: Try enabling kerberosIV on FreeBSD 4.5/4.4 and get ssh to use it for authentification (not via pam, that sucks) >Fix: ... >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201290948.g0T9m8T22005>