3.0.2 AFS login problem, Solaris 2.5.1

Booker C. Bense bbense at networking.stanford.edu
Sat Jan 5 08:27:57 EST 2002 

On Fri, 4 Jan 2002, Peter Scott wrote:

> I've been beating myself senseless trying to build OpenSsh 3.0.1 on Solaris
> 2.5.1 and get AFS login working.
>
> The symptoms of the problem are: sshd builds (used --with-afs and
> -with-kerberos4 - there is no PAM on this box), accepts connections from
> non-AFS users, but does not accept a connection from an AFS user; the user
> sees "permission denied" after entering the password.
>
> The server (in debug mode) at this point says:
>    debug1: attempt 2 failures 2
>    kerberos-iv/udp unknown service, using default port 750
>    Kerberos v4 TGT for joeuser unverifiable: Principal unknown
> (kerberos);   rcmd.grimble not registered, or srvtab is wrong?
>    debug1: krb4_cleanup_proc called
>    Failed password for joeuser from 123.45.67.89 port 34375 ssh2
>

- You need a srvtab for your machine to accept kerberos 4 logins.
Accepting logins without verifying them against a srvtab is not
considered acceptable security practice by most people.

>
>
> I am suspecting that ka_UserAuthenticateGeneral is what talks over 7004 and
> that if I could make an equivalent patch to 3.0.2 that would use it, I'd be
> able to talk to our kaserver.  It's been pointed out that if we created a
> principal rcmd.grimble I might be able to use what I've got, but I don't
> want to do anything that requires an admin.  Which is the same answer to
> the suggestions that we're running an out-of-date kaserver.  I am not the
> cell admin.  I want 3.0.2 to work on AFS the way 1.2.21 did.

- Then you should use 1.2.21. IMHO 3.0.2 is doing things the correct
way and 1.2.21 did them the wrong way.

>
> I tried a naive patch to 3.0.2 to use ka_UserAuthenticateGeneral and I
> couldn't even get it to link; usually I eventually figure out an order of
> all those wretched AFS libraries that works but not this time.
>
> Why doesn't 3.0.2 call ka_UserAuthenticateGeneral?

- Because it's insecure?

> Is there a patch to make it do so?

- It's wildly insecure in my humble opinion, but there was a post on
this list last month to allow kerberos 4 logins without access to
a srvtab. You are leaving your machines wide open to anybody that
can inject packets into your local network. It's pretty much the
equivalent of using hosts.allow with old versions of rsh. (i.e.
you're trusting the ip address in the packet as sufficient
authentication. )

- Look for a message with the subject

PATCH: Kerberos password authentication w/o KDC verification

- It was posted to the list in early December 2001.
You might want to read Dug Song's current opinion on
how kerberos logins should work.

http://www.monkey.org/~dugsong/kdcspoof.tar.gz

- Booker C. Bense

More information about the openssh-unix-dev mailing list