[8765] in Info-AFS_Redistribution
Openssh on solaris 2.5.1
daemon@ATHENA.MIT.EDU (Peter Scott)
Wed Dec 12 14:57:12 2001
Message-Id: <4.3.2.7.2.20011211153031.00aa9e60@mail2a.jpl.nasa.gov>
Date: Wed, 12 Dec 2001 11:48:18 -0800
To: info-afs@transarc.com
From: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
I've been beating myself senseless trying to build OpenSsh 3.0.1 on Solaris
2.5.1 and there are AFS problems that no-one here has been able to solve.
The symptoms of the problem are: sshd builds, accepts connections from
non-AFS users, but does not accept a connection from an AFS user; the user
sees "permission denied" after entering the password. The server (in debug
mode) at this point says:
debug1: attempt 2 failures 2
kerberos-iv/udp unknown service, using default port 750
Kerberos v4 TGT for joe unverifiable: Principal unknown
(kerberos); rcmd.grimble not registered, or srvtab is wrong?
debug1: krb4_cleanup_proc called
Failed password for joe from 123.45.67.89 port 34375 ssh2
Snooping the network at this point reveals a transaction on port 750 with
'kerberos', our auth server, that includes:
Client machine 'grimble' sends packet that includes the kerberos realm and
"rcmd.grimble' (all else is binary).
Server sends response that includes username, part of realm (last component
is missing), and text "code = 8: Exec format er"
Snooping the network when the old (SSH1) server runs reveals *no
connection* to 'kerberos' over port 750 during successful login... only
some stuff on 7002/7004.
The code that is producing the error message about rcmd.grimble is from
auth-krb4.c, and says:
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
if (r == KSUCCESS) {
if ((hp = gethostbyname(localhost)) == NULL) {
log("Couldn't get local host address!");
goto failure;
}
memmove((void *)&faddr, (void *)hp->h_addr,
sizeof(faddr));
/* Verify our "rcmd" ticket. */
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
faddr, &adata, "");
if (r == RD_AP_UNDEC) {
/*
* Probably didn't have a srvtab on
* localhost. Disallow login.
*/
log("Kerberos v4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
pw->pw_name, krb_err_txt[r]);
goto failure;
} else if (r != KSUCCESS) {
log("Kerberos v4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
goto failure;
}
} else if (r == KDC_PR_UNKNOWN) {
/*
* Disallow login if no rcmd service exists, and
* log the error.
*/
log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
"not registered, or srvtab is wrong?",
pw->pw_name,
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
goto failure;
So I am wondering whether the problem is the kerberos library I am using...
I built kth-krb 4-1.1 and linked against that. I tried linking against the
AFS krb instead and it fails linking for want of two routines:
krb_get_default_tkt_root and krb_get_default_keyfile
both of which are only in the newer kerberos library. I wondered whether
the problem is something to do with string_to_key(), but I stuck debugging
print in the afs_string_to_key() function in kth-krb and it fired, so this
isn't the problem unless there's a bug in the kth code.
FYI, when a non-AFS user logs in (which succeeds), the server says (in part):
Failed keyboard-interactive for mary from 123.45.67.89 port 34370 ssh2
debug1: userauth-request for user mary service ssh-connection
method password
debug1: attempt 2 failures 2
kerberos-iv/udp unknown service, using default port 750
debug1: Kerberos v4 password authentication for mary failed:
Password incorrect
debug1: krb4_cleanup_proc called
Accepted password for mary from 123.45.67.89 port 34370 ssh2
debug1: Entering interactive session for SSH2.
I wondered whether my config files were to blame; I've tried many
combinations of options. The relevant options from the ones I'm using are
below. Note that there is no difference in behavior in connecting via SSH2
and SSH1.
Lots of people have gotten openssh 3.0.1 to build on Solaris 2.6 and higher
and claimed that AFS works fine, but no-one has admitted to getting this
part working on Solaris 2.5.1.
ssh_config:
ForwardAgent yes
# RhostsAuthentication no
RhostsRSAAuthentication yes
HostbasedAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
# BatchMode no
# CheckHostIP yes
StrictHostKeyChecking no
KerberosAuthentication yes
AFSTokenPassing yes
# Kerberos TGT Passing does only work with the AFS kaserver
KerberosTgtPassing yes
sshd_config:
RSAAuthentication yes
PubkeyAuthentication yes
RhostsAuthentication no
IgnoreRhosts no
RhostsRSAAuthentication yes
HostbasedAuthentication yes
#IgnoreUserKnownHosts yes
PasswordAuthentication yes
#PAMAuthenticationViaKbdInt yes
KerberosAuthentication yes
KerberosOrLocalPasswd no
AFSTokenPassing yes
KerberosTicketCleanup yes
KerberosTgtPassing yes
KeepAlive yes
--
Peter Scott
Peter.J.Scott@jpl.nasa.gov
