From owner-freebsd-bugs  Tue Jan 29  1:50:17 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 5935837B416
	for <freebsd-bugs@hub.freebsd.org>; Tue, 29 Jan 2002 01:50:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0T9o1C22361;
	Tue, 29 Jan 2002 01:50:01 -0800 (PST)
	(envelope-from gnats)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 5013037B417
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 29 Jan 2002 01:48:11 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0T9m8T22005;
	Tue, 29 Jan 2002 01:48:08 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201290948.g0T9m8T22005@freefall.freebsd.org>
Date: Tue, 29 Jan 2002 01:48:08 -0800 (PST)
From: Steven Enderle <enderle@mdn.de>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: misc/34401: ssh & kerberos IV don't work together
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         34401
>Category:       misc
>Synopsis:       ssh & kerberos IV don't work together
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 29 01:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Steven Enderle
>Release:        FreeBSD 4.5-RELEASE
>Organization:
mdn Hübner GmbH
>Environment:
Serveral 4.5-RELEASE machines, but that problem existed in 4.4-RELEASE also
>Description:
ssh(d?) doesn't make use of kerberosIV on FreeBSD, even if MAKE_KERBEROS4= yes is set in make.conf.

Kerberos is working fine in our network, we are using two openbsd 2.7 boxes as master and slave.
I want sshd to use kerberos for auth. I currently just does it when configured via pam to do so, but thats a not so nice way, because it asks me for my password all the time. lets see...

first, i will logon from FreeBSD 4.5 to OpenBSD 2.9:

FreeBSD::/home/enderle % ssh -V      
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
FreeBSD::/home/enderle % uname -a
FreeBSD mydomain 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Jan 27 15:46:39 CET 2002     enderle@mydomain:/usr/export/src/sys/compile/BSD01  i386

FreeBSD::/home/enderle % ssh -v OpenBSD
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to OpenBSD [ip] port 22.
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/enderle/.ssh/identity type -1
debug1: identity file /home/enderle/.ssh/id_rsa type -1
debug1: identity file /home/enderle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9
debug1: match: OpenSSH_2.9 pat ^OpenSSH
debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'OpenBSD' is known and matches the RSA1 host key.
debug1: Found key in /home/enderle/.ssh/known_hosts:22
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos authentication.
debug1: Kerberos V4 authentication accepted.
debug1: Kerberos V4 challenge successful.
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Tue Jan 29 10:37:05 2002 from workstation
OpenBSD 2.9-stable (NET) #3: Mon May 28 17:02:52 CEST 2001

Welcome to OpenBSD: The proactively secure Unix-like operating system.

OpenBSD::/home/enderle %

Great! We logged in with a working kerberosIV authentification. 

now lets try the same with another FreeBSD 4.5 box:

FreeBSD::/home/enderle % ssh -v FreeBSD2
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to FreeBSD2 [ip] port 22.
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/enderle/.ssh/identity type -1
debug1: identity file /home/enderle/.ssh/id_rsa type -1
debug1: identity file /home/enderle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202
debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH
debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'FreeBSD2' is known and matches the RSA1 host key.
debug1: Found key in /home/enderle/.ssh/known_hosts:18
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
enderle@FreeBSD2's password:

it doesn't seem to know kerberosIV...

Kerberos is enabled and working fine on all the systems.

I think sshd is just not aware of that, because if i uncoment the Kerberos Options, which are also enabled on OpenBSD, the following happens:

FreeBSD::/home/enderle # sshd
/etc/ssh/sshd_config: line 56: Bad configuration option: KerberosOrLocalPasswd
/etc/ssh/sshd_config: line 57: Bad configuration option: AFSTokenPassing
/etc/ssh/sshd_config: line 58: Bad configuration option: KerberosTicketCleanup
/etc/ssh/sshd_config: terminating, 3 bad configuration options
FreeBSD::/home/enderle # ldd =sshd
/usr/sbin/sshd:
        libkrb.so.3 => /usr/lib/libkrb.so.3 (0x2809a000)
        libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x280b3000)
        libopie.so.2 => /usr/lib/libopie.so.2 (0x280b5000)
        libmd.so.2 => /usr/lib/libmd.so.2 (0x280be000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280c7000)
        libcrypto.so.2 => /usr/lib/libcrypto.so.2 (0x280e0000)
        libutil.so.3 => /usr/lib/libutil.so.3 (0x28198000)
        libz.so.2 => /usr/lib/libz.so.2 (0x281a1000)
        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x281ae000)
        libpam.so.1 => /usr/lib/libpam.so.1 (0x281b6000)
        libc.so.4 => /usr/lib/libc.so.4 (0x281bf000)

Ok, now what do you say about that? I hope you may help me fix that, its realy annoing to enter my password 50 times a day.



 

>How-To-Repeat:
Try enabling kerberosIV on FreeBSD 4.5/4.4 and get ssh to use it for authentification (not via pam, that sucks)
>Fix:
...
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message