OpenSSH + Solaris + AFS ???

Ernst Boetsch Ernst.Boetsch at lrz-muenchen.de
Tue Jun 19 07:56:25 EST 2001


Hello *,


sorry if i missed an article which already solves my problem.

I need a working configuration of OpenSSH for Solaris 7 (SunOS 5.7)
with AFS support.  PAM support to use the AFS PAm module `pam_afs.so'
and TCP-Wrapper support would be nice.

It would be nice to have similar configurations for Solaris 6
(SunOS 5.6), Solaris 8 (SunOS 5.8) and Solaris 2.5.1.


I have tested a few configurations but none worked.
The last one was:

 * openssh-2.9p1, krb4-1.0.8, openssl-0.9.6a, zlib-1.1.3, AFS 3.5 (?),
   cc (Sun WorkShop 6 update 1), SunOS 5.7


 * Static libraries of `krb4-1.0.8' and `openssl-0.9.6a'


 * OpenSSH has been configured with the following options:
                 User binaries: /sw/sun4_57/Security/openssh-2.9p1
               System binaries: /sw/sun4_57/Security/openssh-2.9p1
           Configuration files: /usr/local/etc/openssh
               Askpass program: /sw/sun4_57/Security/openssh-2.9p1/ssh-askpass
                  Manual pages: /sw/sun4_57/Security/openssh-2.9p1/man/manX
                      PID file: /usr/local/etc/openssh
        sshd default user PATH: /usr/bin:/usr/ucb:/usr/local/bin:/client/bin
      Random number collection: Builtin (timeout 200)
                Manpage format: man
                   PAM support: yes
            KerberosIV support: yes
                   AFS support: yes
                 S/KEY support: no
          TCP Wrappers support: yes
          MD5 password support: no
   IP address in $DISPLAY hack: no
      Use IPv4 by default hack: yes
       Translate v4 in v6 hack: no

              Host: sparc-sun-solaris2.7
          Compiler: /opt/SUNWspro.6/bin/cc
    Compiler flags: -g
Preprocessor flags: -I/client/include -I/client/include -I/usr/local/include -I/usr/afsws/include
      Linker flags: -R/client/lib -L/client/lib -z muldefs -L/client/lib -R/client/lib -L/usr/local/lib -R/usr/local/lib -L/usr/afsws/lib
         Libraries: -lkafs -lresolv -ldes -lkrb -lpam -ldl -lwrap -lz -lsocket -lnsl  -lgen -lcrypto -ldes


 * /etc/pam.conf:
	sshd    auth sufficient /usr/lib/security/pam_afs.so    ignore_root
	sshd    auth required   /usr/lib/security/pam_unix.so   try_first_pass debug
	sshd    account sufficient      /usr/lib/security/pam_afs.so.1 ignore_root
	sshd    account required        /usr/lib/security/pam_unix.so.1 try_first_pass debug
	other   session required        /usr/lib/security/pam_unix.so.1 


 * tcpd/allow:
	sshd:.lrz-muenchen.de:rfc931
	sshdfwd-X11:.lrz-muenchen.de:rfc931


 * sshd.cf:
	Port 222
	ListenAddress 0.0.0.0
	HostKey /usr/local/etc/openssh/host_key
	ServerKeyBits 768
	LoginGraceTime 600
	KeyRegenerationInterval 3600
	PermitRootLogin yes
	IgnoreRhosts no
	StrictModes yes
	X11Forwarding yes
	X11DisplayOffset 10
	PrintMotd yes
	KeepAlive yes
	SyslogFacility AUTH
	RhostsAuthentication no
	RhostsRSAAuthentication yes
	RSAAuthentication yes
	PasswordAuthentication yes
	PermitEmptyPasswords yes
	UseLogin no
	KerberosAuthentication yes
	KerberosOrLocalPasswd no
	KerberosTgtPassing yes
	AFSTokenPassing yes
	KerberosTicketCleanup yes
	XAuthLocation /usr/openwin/bin/xauth


 * Log of `ssh -v -p 222 suntest2' and `sshd -d -d -d' if `.shosts'
   permits login without password as attachements
   (files `ssh.log.with-shosts' and `sshd.log.with-shosts')

 * Log of `ssh -v -p 222 suntest2' and `sshd -d -d -d' if `.shosts' does
   not permit login without password as attachements
   (files `ssh.log.without-shosts' and `sshd.log.without-shosts')


Do you need any other information?


Any hints are appreciated very much.
Thank You for Your cooperation.

Kind regards,
    Ernst Boetsch

-- 
*******************************************************************
Ernst N. Boetsch                      |  Leibniz Computer Center
                                      |     of the Bavarian Academy
Email: Ernst.Boetsch at lrz-muenchen.de  |     of Sciences
Phone: +49 89 289-28831 (/-28784)     |  Barer Strasse 21
Fax:   +49 89 2809460                 |  D-80333 Muenchen, Germany
-------------- next part --------------
$ ssh -v -p 222 suntest2
SSH Version 1.2.27 (AFS/KRB.p1, LRZ) [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version.  Does not use RSAREF.
wsc33: Reading configuration data /afs/lrz/home/a/a2822ab/.ssh/config
wsc33: Applying options for *
wsc33: Reading configuration data /usr/local/etc/ssh/config
wsc33: Applying options for *
wsc33: ssh_connect: getuid 10416 geteuid 0 anon 0
wsc33: Connecting to suntest2 [129.187.10.13] port 222.
wsc33: Allocated local port 1013.
wsc33: Connection established.
wsc33: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 (LRZ)
wsc33: Waiting for server public key.
wsc33: Received server public key (768 bits) and host key (1024 bits).
wsc33: Host 'suntest2' is known and matches the host key.
wsc33: Initializing random; seed file /afs/lrz/home/a/a2822ab/.ssh/random_seed
wsc33: Encryption type: blowfish
wsc33: Sent encrypted session key.
wsc33: Installing crc compensation attack detector.
wsc33: Received encrypted confirmation.
wsc33: Remote: AFS token accepted (afs at lrz-muenchen.de, AFS ID 10416 at lrz-muenchen.de)
wsc33: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
wsc33: Remote: Accepted by .ssh/shosts.
wsc33: Received RSA challenge for host key from server.
wsc33: Sending response to host key RSA challenge.
wsc33: Remote: Rhosts with RSA host authentication accepted.
wsc33: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.
wsc33: Requesting pty.
wsc33: Requesting X11 forwarding with authentication spoofing.
wsc33: Requesting shell.
wsc33: Entering interactive session.
Last login: Mon Jun 18 23:30:31 2001 from wsc33.lrz-muenc
Sun Microsystems Inc.   SunOS 5.7       Generic October 1998
debug1: PAM establishing creds
Command terminated on signal 11.
-------------- next part --------------
debug3: Reading output from 'ls -alni /var/log'
debug3: Time elapsed: 23 msec
debug3: Got 1.93 bytes of entropy from 'ls -alni /var/log'

[...]

debug3: Reading output from 'tail -200 /var/adm/messages'
debug3: Time elapsed: 14 msec
debug3: Got 0.34 bytes of entropy from 'tail -200 /var/adm/messages'
debug1: Seeded RNG with 36 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: sshd version OpenSSH_2.9p1 (LRZ)
debug1: private host key: #0 type 0 RSA1
Disabling protocol version 2. Could not load host key
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 129.187.10.85 port 1013
debug1: Client protocol version 1.5; client software version 1.2.27 (AFS/KRB.p1, LRZ)
debug1: no match: 1.2.27 (AFS/KRB.p1, LRZ)
debug1: Local version string SSH-1.5-OpenSSH_2.9p1 (LRZ)
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Starting up PAM with username "a2822ab"
debug3: Trying to reverse map address 129.187.10.85.
debug1: PAM setting rhost to "wsc33.lrz-muenchen.de"
debug1: Attempting authentication for a2822ab.
debug1: Trying rhosts with RSA host authentication for client user a2822ab
debug2: auth_rhosts2: clientuser a2822ab hostname wsc33.lrz-muenchen.de ipaddr 129.187.10.85
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: Rhosts RSA authentication: canonical host wsc33.lrz-muenchen.de
debug3: check_host_in_hostfile: filename /usr/local/etc/openssh/known_hosts
debug3: check_host_in_hostfile: match line 260
Rhosts with RSA host authentication accepted for a2822ab, a2822ab on wsc33.lrz-muenchen.de.
debug1: PAM setting ruser to "a2822ab"
Accepted rhosts-rsa for a2822ab from 129.187.10.85 port 1013 ruser a2822ab
debug1: session_new: init
debug1: session_new: session 0
debug1: Allocating pty.
debug2: tty_parse_modes: ospeed 9600
debug2: tty_parse_modes: ispeed 9600
debug2: tty_parse_modes: 1 3

[...]

debug2: tty_parse_modes: 2 28
debug2: tty_parse_modes: 93 0
debug1: Received request for X11 forwarding with auth spoofing.
debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1
debug1: bind port 6010: Address already in use
debug1: bind port 6011: Address already in use
debug1: fd 11 setting O_NONBLOCK
debug1: fd 11 IS O_NONBLOCK
debug1: channel 0: new [X11 inet listener]
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: PAM setting tty to "/dev/pts/10"
debug1: PAM establishing creds
debug1: Entering interactive session.
debug1: fd 6 setting O_NONBLOCK
debug1: fd 10 IS O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug1: End of interactive session; stdin 0, stdout (read 155, sent 155), stderr 0 bytes.
debug1: channel_free: channel 0: status: The following connections are open:

debug1: Received SIGCHLD.
Disconnecting: Command terminated on signal 11.
debug1: Calling cleanup 0x52040(0x0)
debug1: xauthfile_cleanup_proc called
debug1: Calling cleanup 0x60450(0x0)
debug1: Calling cleanup 0x520f8(0x179318)
debug1: pty_cleanup_proc: /dev/pts/10
debug1: Calling cleanup 0x47bd0(0x0)
debug1: Cannot delete credentials[7]: Permission denied
debug1: Calling cleanup 0x6fff8(0x0)
debug1: Calling cleanup 0x7b100(0x0)
debug1: writing PRNG seed to file //.ssh/prng_seed
-------------- next part --------------
$ ssh -v -p 222 suntest2
SSH Version 1.2.27 (AFS/KRB.p1, LRZ) [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version.  Does not use RSAREF.
wsc33: Reading configuration data /afs/lrz/home/a/a2822ab/.ssh/config
wsc33: Applying options for *
wsc33: Reading configuration data /usr/local/etc/ssh/config
wsc33: Applying options for *
wsc33: ssh_connect: getuid 10416 geteuid 0 anon 0
wsc33: Connecting to suntest2 [129.187.10.13] port 222.
wsc33: Allocated local port 1013.
wsc33: Connection established.
wsc33: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 (LRZ)
wsc33: Waiting for server public key.
wsc33: Received server public key (768 bits) and host key (1024 bits).
wsc33: Host 'suntest2' is known and matches the host key.
wsc33: Initializing random; seed file /afs/lrz/home/a/a2822ab/.ssh/random_seed
wsc33: Encryption type: blowfish
wsc33: Sent encrypted session key.
wsc33: Installing crc compensation attack detector.
wsc33: Received encrypted confirmation.
wsc33: Remote: AFS token accepted (afs at lrz-muenchen.de, AFS ID 10416 at lrz-muenchen.de)
wsc33: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
wsc33: Server refused our rhosts authentication or host key.
wsc33: No agent.
wsc33: Doing password authentication.
a2822ab at suntest2's password: 
wsc33: Requesting pty.
wsc33: Requesting X11 forwarding with authentication spoofing.
wsc33: Requesting shell.
wsc33: Entering interactive session.
Last login: Mon Jun 18 23:39:13 2001 from wsc33.lrz-muenc
Sun Microsystems Inc.   SunOS 5.7       Generic October 1998
debug1: PAM establishing creds
Command terminated on signal 11.
-------------- next part --------------
debug3: Reading output from 'ls -alni /var/log'
debug3: Time elapsed: 23 msec
debug3: Got 1.93 bytes of entropy from 'ls -alni /var/log'

[...]

debug3: Reading output from 'tail -200 /var/adm/messages'
debug3: Time elapsed: 14 msec
debug3: Got 0.44 bytes of entropy from 'tail -200 /var/adm/messages'
debug1: Seeded RNG with 36 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: sshd version OpenSSH_2.9p1 (LRZ)
debug1: private host key: #0 type 0 RSA1
Disabling protocol version 2. Could not load host key
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 129.187.10.85 port 1013
debug1: Client protocol version 1.5; client software version 1.2.27 (AFS/KRB.p1, LRZ)
debug1: no match: 1.2.27 (AFS/KRB.p1, LRZ)
debug1: Local version string SSH-1.5-OpenSSH_2.9p1 (LRZ)
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Starting up PAM with username "a2822ab"
debug3: Trying to reverse map address 129.187.10.85.
debug1: PAM setting rhost to "wsc33.lrz-muenchen.de"
debug1: Attempting authentication for a2822ab.
debug1: Trying rhosts with RSA host authentication for client user a2822ab
debug2: auth_rhosts2: clientuser a2822ab hostname wsc33.lrz-muenchen.de ipaddr 129.187.10.85
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
Failed rhosts-rsa for a2822ab from 129.187.10.85 port 1013 ruser a2822ab
debug1: writing PRNG seed to file //.ssh/prng_seed
debug1: PAM Password authentication accepted for user "a2822ab"
Accepted password for a2822ab from 129.187.10.85 port 1013
debug1: session_new: init
debug1: session_new: session 0
debug1: Allocating pty.
debug2: tty_parse_modes: ospeed 9600
debug2: tty_parse_modes: ispeed 9600
debug2: tty_parse_modes: 1 3

[...]

debug2: tty_parse_modes: 93 0
debug1: Received request for X11 forwarding with auth spoofing.
debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1
debug1: bind port 6010: Address already in use
debug1: bind port 6011: Address already in use
debug1: fd 11 setting O_NONBLOCK
debug1: fd 11 IS O_NONBLOCK
debug1: channel 0: new [X11 inet listener]
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: PAM setting tty to "/dev/pts/10"
debug1: PAM establishing creds
debug1: Entering interactive session.
debug1: fd 6 setting O_NONBLOCK
debug1: fd 10 IS O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug1: End of interactive session; stdin 0, stdout (read 155, sent 155), stderr 0 bytes.
debug1: channel_free: channel 0: status: The following connections are open:

debug1: Received SIGCHLD.
Disconnecting: Command terminated on signal 11.
debug1: Calling cleanup 0x52040(0x0)
debug1: xauthfile_cleanup_proc called
debug1: Calling cleanup 0x60450(0x0)
debug1: Calling cleanup 0x520f8(0x179318)
debug1: pty_cleanup_proc: /dev/pts/10
debug1: Calling cleanup 0x47bd0(0x0)
debug1: Cannot delete credentials[7]: Permission denied
debug1: Calling cleanup 0x6fff8(0x0)
debug1: Calling cleanup 0x7b100(0x0)
debug1: writing PRNG seed to file //.ssh/prng_seed


More information about the openssh-unix-dev mailing list