3.0.2 AFS login problem, Solaris 2.5.1

Peter Scott Peter.J.Scott at jpl.nasa.gov
Sat Jan 5 06:49:36 EST 2002 

I've been beating myself senseless trying to build OpenSsh 3.0.1 on Solaris 
2.5.1 and get AFS login working.

The symptoms of the problem are: sshd builds (used --with-afs and 
-with-kerberos4 - there is no PAM on this box), accepts connections from 
non-AFS users, but does not accept a connection from an AFS user; the user 
sees "permission denied" after entering the password.

The server (in debug mode) at this point says:
   debug1: attempt 2 failures 2
   kerberos-iv/udp unknown service, using default port 750
   Kerberos v4 TGT for joeuser unverifiable: Principal unknown 
(kerberos);   rcmd.grimble not registered, or srvtab is wrong?
   debug1: krb4_cleanup_proc called
   Failed password for joeuser from 123.45.67.89 port 34375 ssh2

Snooping the network reveals that client machine 'grimble' sends a packet 
that includes the kerberos realm and "rcmd.grimble' to 'kerberos', our auth 
server.
Server sends response that includes username, part of realm (last component 
is missing), and text "code = 8: Exec format er"

Snooping the network when the old (SSH1) server (which works) runs reveals 
*no connection* to 'kerberos' over port 750 during successful login... only 
some stuff on 7004.

So I looked at the code, wondering how the ssh1.2.21 could work where this 
didn't... and found that 1.2.21 used a patch from dugsong that called 
ka_UserAuthenticateGeneral at this point... but 3.0.2 does not call any ka_ 
routines.

I am suspecting that ka_UserAuthenticateGeneral is what talks over 7004 and 
that if I could make an equivalent patch to 3.0.2 that would use it, I'd be 
able to talk to our kaserver.  It's been pointed out that if we created a 
principal rcmd.grimble I might be able to use what I've got, but I don't 
want to do anything that requires an admin.  Which is the same answer to 
the suggestions that we're running an out-of-date kaserver.  I am not the 
cell admin.  I want 3.0.2 to work on AFS the way 1.2.21 did.

I tried a naive patch to 3.0.2 to use ka_UserAuthenticateGeneral and I 
couldn't even get it to link; usually I eventually figure out an order of 
all those wretched AFS libraries that works but not this time.

Why doesn't 3.0.2 call ka_UserAuthenticateGeneral?  Is there a patch to 
make it do so?
--
Peter Scott
Peter.J.Scott at jpl.nasa.gov

More information about the openssh-unix-dev mailing list