Date: Tue, 29 Jan 2002 01:48:08 -0800 (PST) From: Steven Enderle <enderle@mdn.de> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/34401: ssh & kerberos IV don't work together Message-ID: <200201290948.g0T9m8T22005@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 34401
>Category: misc
>Synopsis: ssh & kerberos IV don't work together
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 29 01:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Steven Enderle
>Release: FreeBSD 4.5-RELEASE
>Organization:
mdn Hübner GmbH
>Environment:
Serveral 4.5-RELEASE machines, but that problem existed in 4.4-RELEASE also
>Description:
ssh(d?) doesn't make use of kerberosIV on FreeBSD, even if MAKE_KERBEROS4= yes is set in make.conf.
Kerberos is working fine in our network, we are using two openbsd 2.7 boxes as master and slave.
I want sshd to use kerberos for auth. I currently just does it when configured via pam to do so, but thats a not so nice way, because it asks me for my password all the time. lets see...
first, i will logon from FreeBSD 4.5 to OpenBSD 2.9:
FreeBSD::/home/enderle % ssh -V
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
FreeBSD::/home/enderle % uname -a
FreeBSD mydomain 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Jan 27 15:46:39 CET 2002 enderle@mydomain:/usr/export/src/sys/compile/BSD01 i386
FreeBSD::/home/enderle % ssh -v OpenBSD
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to OpenBSD [ip] port 22.
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/enderle/.ssh/identity type -1
debug1: identity file /home/enderle/.ssh/id_rsa type -1
debug1: identity file /home/enderle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9
debug1: match: OpenSSH_2.9 pat ^OpenSSH
debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'OpenBSD' is known and matches the RSA1 host key.
debug1: Found key in /home/enderle/.ssh/known_hosts:22
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos authentication.
debug1: Kerberos V4 authentication accepted.
debug1: Kerberos V4 challenge successful.
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Tue Jan 29 10:37:05 2002 from workstation
OpenBSD 2.9-stable (NET) #3: Mon May 28 17:02:52 CEST 2001
Welcome to OpenBSD: The proactively secure Unix-like operating system.
OpenBSD::/home/enderle %
Great! We logged in with a working kerberosIV authentification.
now lets try the same with another FreeBSD 4.5 box:
FreeBSD::/home/enderle % ssh -v FreeBSD2
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to FreeBSD2 [ip] port 22.
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/enderle/.ssh/identity type -1
debug1: identity file /home/enderle/.ssh/id_rsa type -1
debug1: identity file /home/enderle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202
debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH
debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'FreeBSD2' is known and matches the RSA1 host key.
debug1: Found key in /home/enderle/.ssh/known_hosts:18
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
enderle@FreeBSD2's password:
it doesn't seem to know kerberosIV...
Kerberos is enabled and working fine on all the systems.
I think sshd is just not aware of that, because if i uncoment the Kerberos Options, which are also enabled on OpenBSD, the following happens:
FreeBSD::/home/enderle # sshd
/etc/ssh/sshd_config: line 56: Bad configuration option: KerberosOrLocalPasswd
/etc/ssh/sshd_config: line 57: Bad configuration option: AFSTokenPassing
/etc/ssh/sshd_config: line 58: Bad configuration option: KerberosTicketCleanup
/etc/ssh/sshd_config: terminating, 3 bad configuration options
FreeBSD::/home/enderle # ldd =sshd
/usr/sbin/sshd:
libkrb.so.3 => /usr/lib/libkrb.so.3 (0x2809a000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x280b3000)
libopie.so.2 => /usr/lib/libopie.so.2 (0x280b5000)
libmd.so.2 => /usr/lib/libmd.so.2 (0x280be000)
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280c7000)
libcrypto.so.2 => /usr/lib/libcrypto.so.2 (0x280e0000)
libutil.so.3 => /usr/lib/libutil.so.3 (0x28198000)
libz.so.2 => /usr/lib/libz.so.2 (0x281a1000)
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x281ae000)
libpam.so.1 => /usr/lib/libpam.so.1 (0x281b6000)
libc.so.4 => /usr/lib/libc.so.4 (0x281bf000)
Ok, now what do you say about that? I hope you may help me fix that, its realy annoing to enter my password 50 times a day.
>How-To-Repeat:
Try enabling kerberosIV on FreeBSD 4.5/4.4 and get ssh to use it for authentification (not via pam, that sucks)
>Fix:
...
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201290948.g0T9m8T22005>