OpenSSH + Solaris + AFS ???
Ernst Boetsch
Ernst.Boetsch at lrz-muenchen.de
Tue Jun 19 07:56:25 EST 2001
Hello *,
sorry if i missed an article which already solves my problem.
I need a working configuration of OpenSSH for Solaris 7 (SunOS 5.7)
with AFS support. PAM support to use the AFS PAm module `pam_afs.so'
and TCP-Wrapper support would be nice.
It would be nice to have similar configurations for Solaris 6
(SunOS 5.6), Solaris 8 (SunOS 5.8) and Solaris 2.5.1.
I have tested a few configurations but none worked.
The last one was:
* openssh-2.9p1, krb4-1.0.8, openssl-0.9.6a, zlib-1.1.3, AFS 3.5 (?),
cc (Sun WorkShop 6 update 1), SunOS 5.7
* Static libraries of `krb4-1.0.8' and `openssl-0.9.6a'
* OpenSSH has been configured with the following options:
User binaries: /sw/sun4_57/Security/openssh-2.9p1
System binaries: /sw/sun4_57/Security/openssh-2.9p1
Configuration files: /usr/local/etc/openssh
Askpass program: /sw/sun4_57/Security/openssh-2.9p1/ssh-askpass
Manual pages: /sw/sun4_57/Security/openssh-2.9p1/man/manX
PID file: /usr/local/etc/openssh
sshd default user PATH: /usr/bin:/usr/ucb:/usr/local/bin:/client/bin
Random number collection: Builtin (timeout 200)
Manpage format: man
PAM support: yes
KerberosIV support: yes
AFS support: yes
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: yes
Translate v4 in v6 hack: no
Host: sparc-sun-solaris2.7
Compiler: /opt/SUNWspro.6/bin/cc
Compiler flags: -g
Preprocessor flags: -I/client/include -I/client/include -I/usr/local/include -I/usr/afsws/include
Linker flags: -R/client/lib -L/client/lib -z muldefs -L/client/lib -R/client/lib -L/usr/local/lib -R/usr/local/lib -L/usr/afsws/lib
Libraries: -lkafs -lresolv -ldes -lkrb -lpam -ldl -lwrap -lz -lsocket -lnsl -lgen -lcrypto -ldes
* /etc/pam.conf:
sshd auth sufficient /usr/lib/security/pam_afs.so ignore_root
sshd auth required /usr/lib/security/pam_unix.so try_first_pass debug
sshd account sufficient /usr/lib/security/pam_afs.so.1 ignore_root
sshd account required /usr/lib/security/pam_unix.so.1 try_first_pass debug
other session required /usr/lib/security/pam_unix.so.1
* tcpd/allow:
sshd:.lrz-muenchen.de:rfc931
sshdfwd-X11:.lrz-muenchen.de:rfc931
* sshd.cf:
Port 222
ListenAddress 0.0.0.0
HostKey /usr/local/etc/openssh/host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTgtPassing yes
AFSTokenPassing yes
KerberosTicketCleanup yes
XAuthLocation /usr/openwin/bin/xauth
* Log of `ssh -v -p 222 suntest2' and `sshd -d -d -d' if `.shosts'
permits login without password as attachements
(files `ssh.log.with-shosts' and `sshd.log.with-shosts')
* Log of `ssh -v -p 222 suntest2' and `sshd -d -d -d' if `.shosts' does
not permit login without password as attachements
(files `ssh.log.without-shosts' and `sshd.log.without-shosts')
Do you need any other information?
Any hints are appreciated very much.
Thank You for Your cooperation.
Kind regards,
Ernst Boetsch
--
*******************************************************************
Ernst N. Boetsch | Leibniz Computer Center
| of the Bavarian Academy
Email: Ernst.Boetsch at lrz-muenchen.de | of Sciences
Phone: +49 89 289-28831 (/-28784) | Barer Strasse 21
Fax: +49 89 2809460 | D-80333 Muenchen, Germany
-------------- next part --------------
$ ssh -v -p 222 suntest2
SSH Version 1.2.27 (AFS/KRB.p1, LRZ) [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version. Does not use RSAREF.
wsc33: Reading configuration data /afs/lrz/home/a/a2822ab/.ssh/config
wsc33: Applying options for *
wsc33: Reading configuration data /usr/local/etc/ssh/config
wsc33: Applying options for *
wsc33: ssh_connect: getuid 10416 geteuid 0 anon 0
wsc33: Connecting to suntest2 [129.187.10.13] port 222.
wsc33: Allocated local port 1013.
wsc33: Connection established.
wsc33: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 (LRZ)
wsc33: Waiting for server public key.
wsc33: Received server public key (768 bits) and host key (1024 bits).
wsc33: Host 'suntest2' is known and matches the host key.
wsc33: Initializing random; seed file /afs/lrz/home/a/a2822ab/.ssh/random_seed
wsc33: Encryption type: blowfish
wsc33: Sent encrypted session key.
wsc33: Installing crc compensation attack detector.
wsc33: Received encrypted confirmation.
wsc33: Remote: AFS token accepted (afs at lrz-muenchen.de, AFS ID 10416 at lrz-muenchen.de)
wsc33: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
wsc33: Remote: Accepted by .ssh/shosts.
wsc33: Received RSA challenge for host key from server.
wsc33: Sending response to host key RSA challenge.
wsc33: Remote: Rhosts with RSA host authentication accepted.
wsc33: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.
wsc33: Requesting pty.
wsc33: Requesting X11 forwarding with authentication spoofing.
wsc33: Requesting shell.
wsc33: Entering interactive session.
Last login: Mon Jun 18 23:30:31 2001 from wsc33.lrz-muenc
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
debug1: PAM establishing creds
Command terminated on signal 11.
-------------- next part --------------
debug3: Reading output from 'ls -alni /var/log'
debug3: Time elapsed: 23 msec
debug3: Got 1.93 bytes of entropy from 'ls -alni /var/log'
[...]
debug3: Reading output from 'tail -200 /var/adm/messages'
debug3: Time elapsed: 14 msec
debug3: Got 0.34 bytes of entropy from 'tail -200 /var/adm/messages'
debug1: Seeded RNG with 36 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: sshd version OpenSSH_2.9p1 (LRZ)
debug1: private host key: #0 type 0 RSA1
Disabling protocol version 2. Could not load host key
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 129.187.10.85 port 1013
debug1: Client protocol version 1.5; client software version 1.2.27 (AFS/KRB.p1, LRZ)
debug1: no match: 1.2.27 (AFS/KRB.p1, LRZ)
debug1: Local version string SSH-1.5-OpenSSH_2.9p1 (LRZ)
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Starting up PAM with username "a2822ab"
debug3: Trying to reverse map address 129.187.10.85.
debug1: PAM setting rhost to "wsc33.lrz-muenchen.de"
debug1: Attempting authentication for a2822ab.
debug1: Trying rhosts with RSA host authentication for client user a2822ab
debug2: auth_rhosts2: clientuser a2822ab hostname wsc33.lrz-muenchen.de ipaddr 129.187.10.85
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: Rhosts RSA authentication: canonical host wsc33.lrz-muenchen.de
debug3: check_host_in_hostfile: filename /usr/local/etc/openssh/known_hosts
debug3: check_host_in_hostfile: match line 260
Rhosts with RSA host authentication accepted for a2822ab, a2822ab on wsc33.lrz-muenchen.de.
debug1: PAM setting ruser to "a2822ab"
Accepted rhosts-rsa for a2822ab from 129.187.10.85 port 1013 ruser a2822ab
debug1: session_new: init
debug1: session_new: session 0
debug1: Allocating pty.
debug2: tty_parse_modes: ospeed 9600
debug2: tty_parse_modes: ispeed 9600
debug2: tty_parse_modes: 1 3
[...]
debug2: tty_parse_modes: 2 28
debug2: tty_parse_modes: 93 0
debug1: Received request for X11 forwarding with auth spoofing.
debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1
debug1: bind port 6010: Address already in use
debug1: bind port 6011: Address already in use
debug1: fd 11 setting O_NONBLOCK
debug1: fd 11 IS O_NONBLOCK
debug1: channel 0: new [X11 inet listener]
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: PAM setting tty to "/dev/pts/10"
debug1: PAM establishing creds
debug1: Entering interactive session.
debug1: fd 6 setting O_NONBLOCK
debug1: fd 10 IS O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug1: End of interactive session; stdin 0, stdout (read 155, sent 155), stderr 0 bytes.
debug1: channel_free: channel 0: status: The following connections are open:
debug1: Received SIGCHLD.
Disconnecting: Command terminated on signal 11.
debug1: Calling cleanup 0x52040(0x0)
debug1: xauthfile_cleanup_proc called
debug1: Calling cleanup 0x60450(0x0)
debug1: Calling cleanup 0x520f8(0x179318)
debug1: pty_cleanup_proc: /dev/pts/10
debug1: Calling cleanup 0x47bd0(0x0)
debug1: Cannot delete credentials[7]: Permission denied
debug1: Calling cleanup 0x6fff8(0x0)
debug1: Calling cleanup 0x7b100(0x0)
debug1: writing PRNG seed to file //.ssh/prng_seed
-------------- next part --------------
$ ssh -v -p 222 suntest2
SSH Version 1.2.27 (AFS/KRB.p1, LRZ) [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version. Does not use RSAREF.
wsc33: Reading configuration data /afs/lrz/home/a/a2822ab/.ssh/config
wsc33: Applying options for *
wsc33: Reading configuration data /usr/local/etc/ssh/config
wsc33: Applying options for *
wsc33: ssh_connect: getuid 10416 geteuid 0 anon 0
wsc33: Connecting to suntest2 [129.187.10.13] port 222.
wsc33: Allocated local port 1013.
wsc33: Connection established.
wsc33: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 (LRZ)
wsc33: Waiting for server public key.
wsc33: Received server public key (768 bits) and host key (1024 bits).
wsc33: Host 'suntest2' is known and matches the host key.
wsc33: Initializing random; seed file /afs/lrz/home/a/a2822ab/.ssh/random_seed
wsc33: Encryption type: blowfish
wsc33: Sent encrypted session key.
wsc33: Installing crc compensation attack detector.
wsc33: Received encrypted confirmation.
wsc33: Remote: AFS token accepted (afs at lrz-muenchen.de, AFS ID 10416 at lrz-muenchen.de)
wsc33: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
wsc33: Server refused our rhosts authentication or host key.
wsc33: No agent.
wsc33: Doing password authentication.
a2822ab at suntest2's password:
wsc33: Requesting pty.
wsc33: Requesting X11 forwarding with authentication spoofing.
wsc33: Requesting shell.
wsc33: Entering interactive session.
Last login: Mon Jun 18 23:39:13 2001 from wsc33.lrz-muenc
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
debug1: PAM establishing creds
Command terminated on signal 11.
-------------- next part --------------
debug3: Reading output from 'ls -alni /var/log'
debug3: Time elapsed: 23 msec
debug3: Got 1.93 bytes of entropy from 'ls -alni /var/log'
[...]
debug3: Reading output from 'tail -200 /var/adm/messages'
debug3: Time elapsed: 14 msec
debug3: Got 0.44 bytes of entropy from 'tail -200 /var/adm/messages'
debug1: Seeded RNG with 36 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: sshd version OpenSSH_2.9p1 (LRZ)
debug1: private host key: #0 type 0 RSA1
Disabling protocol version 2. Could not load host key
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 129.187.10.85 port 1013
debug1: Client protocol version 1.5; client software version 1.2.27 (AFS/KRB.p1, LRZ)
debug1: no match: 1.2.27 (AFS/KRB.p1, LRZ)
debug1: Local version string SSH-1.5-OpenSSH_2.9p1 (LRZ)
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Starting up PAM with username "a2822ab"
debug3: Trying to reverse map address 129.187.10.85.
debug1: PAM setting rhost to "wsc33.lrz-muenchen.de"
debug1: Attempting authentication for a2822ab.
debug1: Trying rhosts with RSA host authentication for client user a2822ab
debug2: auth_rhosts2: clientuser a2822ab hostname wsc33.lrz-muenchen.de ipaddr 129.187.10.85
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
Failed rhosts-rsa for a2822ab from 129.187.10.85 port 1013 ruser a2822ab
debug1: writing PRNG seed to file //.ssh/prng_seed
debug1: PAM Password authentication accepted for user "a2822ab"
Accepted password for a2822ab from 129.187.10.85 port 1013
debug1: session_new: init
debug1: session_new: session 0
debug1: Allocating pty.
debug2: tty_parse_modes: ospeed 9600
debug2: tty_parse_modes: ispeed 9600
debug2: tty_parse_modes: 1 3
[...]
debug2: tty_parse_modes: 93 0
debug1: Received request for X11 forwarding with auth spoofing.
debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1
debug1: bind port 6010: Address already in use
debug1: bind port 6011: Address already in use
debug1: fd 11 setting O_NONBLOCK
debug1: fd 11 IS O_NONBLOCK
debug1: channel 0: new [X11 inet listener]
debug1: temporarily_use_uid: 10416/1052 (e=0)
debug1: restore_uid
debug1: PAM setting tty to "/dev/pts/10"
debug1: PAM establishing creds
debug1: Entering interactive session.
debug1: fd 6 setting O_NONBLOCK
debug1: fd 10 IS O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug3: tvp!=NULL kid 0 mili 10
debug1: End of interactive session; stdin 0, stdout (read 155, sent 155), stderr 0 bytes.
debug1: channel_free: channel 0: status: The following connections are open:
debug1: Received SIGCHLD.
Disconnecting: Command terminated on signal 11.
debug1: Calling cleanup 0x52040(0x0)
debug1: xauthfile_cleanup_proc called
debug1: Calling cleanup 0x60450(0x0)
debug1: Calling cleanup 0x520f8(0x179318)
debug1: pty_cleanup_proc: /dev/pts/10
debug1: Calling cleanup 0x47bd0(0x0)
debug1: Cannot delete credentials[7]: Permission denied
debug1: Calling cleanup 0x6fff8(0x0)
debug1: Calling cleanup 0x7b100(0x0)
debug1: writing PRNG seed to file //.ssh/prng_seed
More information about the openssh-unix-dev
mailing list