[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Sep 10 20:31:42 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs at natur.cuni.cz  2003-09-10 20:31 -------
So I tested with heimdal and latest openssh snapshot-10-09-03:

checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... yes
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
                    Manpage format: man
                       DNS support: no
                       PAM support: no
                 KerberosV support: yes
                 Smartcard support: no
                     S/KEY support: no
              TCP Wrappers support: yes
              MD5 password support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: alphaev67-dec-osf5.1
          Compiler: cc
    Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include  -I/usr/heimdal/include 
      Linker flags: -L/usr/local/openssl/lib -Lyes  -L/usr/heimdal/lib
         Libraries: -lwrap  -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto
-L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lroken -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib


I can compile fine but the produced binaries do not use kerberos:

serow# ./ssh -v -l mokrejs serow -p 8888
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serow' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
mokrejs at serow's password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Tue Sep  9 22:47:01 MEST 2003 from sheep1.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Fri Dec  6 18:07:50 MET 2002
Tru64 UNIX German Support V5.1A (rev. 168)
Tru64 UNIX Czech Support V5.1A (rev. 168)
Tru64 UNIX Polish Support V5.1A (rev. 168)
Tru64 UNIX Russian Support V5.1A (rev. 168)
Tru64 UNIX Slovak Support V5.1A (rev. 168)
Tru64 UNIX Spanish Support V5.1A (rev. 168)
Tru64 UNIX Swedish Support V5.1A (rev. 168)


serow$ logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to serow closed.
debug1: Transferred: stdin 0, stdout 0, stderr 29 bytes in 2.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 13.6
debug1: Exit status 0
serow# ./ssh -v -l mokrejs serow -p 8888 -1
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.7p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'serow' is known and matches the RSA1 host key.
debug1: Found key in /.ssh/known_hosts:13
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
mokrejs at serow's password: 
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Wed Sep 10 12:07:44 MEST 2003 from serow.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Fri Dec  6 18:07:50 MET 2002
Tru64 UNIX German Support V5.1A (rev. 168)
Tru64 UNIX Czech Support V5.1A (rev. 168)
Tru64 UNIX Polish Support V5.1A (rev. 168)
Tru64 UNIX Russian Support V5.1A (rev. 168)
Tru64 UNIX Slovak Support V5.1A (rev. 168)
Tru64 UNIX Spanish Support V5.1A (rev. 168)
Tru64 UNIX Swedish Support V5.1A (rev. 168)

serow$ 



I remember openssh used to use kerberos only in protocol one, and there used to
be a patch from Jan Iven that actually allowed kerberos to be used also in
protocol two. It seems those patches have been totally backed out with the
removal of krb4. BTW, I see still krb4 in the configure.

So, with the above patch, ssh and sshd are created as:

cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o
sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib -Lyes 
-L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lroken
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o
sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib
-Lyes  -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap  -lrt -lz
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
-lsecurity -ldb -lm -laud -lcrypto -L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1
-lcrypto -lroken -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib

I remember there have been problems with order of libs which prevented kerberos
to be used, also crypt() from libc used to override the one from libcrypto. I
believe you can find the reports in email archives of openssh, look for
reporters from "natur.cuni.cz".


This is how it should look like:

mmokrejs at prfdec$ kauth mmokrejs
mmokrejs at NATUR.CUNI.CZ's Password: 
mmokrejs at prfdec$ ssh -v -1 www
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for *
debug1: /usr/local/etc/ssh_config line 70: Deprecated option "UseRsh"
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to www [195.113.56.1] port 22.
debug1: Connection established.
debug1: identity file /usr/home3/mmokrejs/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'www' is known and matches the RSA1 host key.
debug1: Found key in /usr/home3/mmokrejs/.ssh/known_hosts:25
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos v4 authentication.
debug1: Kerberos v4 authentication accepted.
debug1: Kerberos v4 challenge successful.
debug1: Requesting compression at level 9.
debug1: Enabling compression at level 9.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting shell.
debug1: Entering interactive session.
Last   successful login for mmokrejs: Wed Sep 10 11:10:57 CEST 2003 from
sheep1.gsf.de
Last unsuccessful login for mmokrejs: Thu Aug 28 08:54:23 CEST 2003 from
sheep1.gsf.de

Compaq Tru64 UNIX V5.1A (Rev. 1885); Tue Aug 12 21:09:54 CEST 2003

mmokrejs at prfdec$ logout
Connection to www closed.
debug1: Transferred: stdin 1, stdout 408, stderr 27 bytes in 43.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 9.5, stderr 0.6
debug1: Exit status 0
debug1: compress outgoing: raw data 212, compressed 210, factor 0.99
debug1: compress incoming: raw data 440, compressed 348, factor 0.79
mmokrejs at prfdec$ 


This installation was created by David Komanek



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list