privsep versus compression

Martin MOKREJŠ mmokrejs at natur.cuni.cz
Thu Sep 19 07:49:26 EST 2002


On Wed, 18 Sep 2002, Martin MOKREJŠ wrote:

> > Please look at the -cvs tree.  We have handled most of the mmap() issues
> > for any OS that is written in the last 6 years.
> >
> > - Ben
>
> Hi,
>   I tried current cvs on Solaris 2.6 (not on the problematic Irix
> 6.5.15 yet) but I got:
>
> /configure --prefix=/usr/local --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh --with-privsep --with-zlib --with-pam
> $ make
> [...]
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating openbsd-compat/Makefile
> config.status: creating scard/Makefile
> config.status: creating ssh_prng_cmds
> config.status: creating config.h
> config.status: error: cannot find input file: config.h.in

OK, I copied config.h.in from openssh-3.4p1 distribution and the
config.status went fine for openssh-SNAP-20020912.

But, I then faced another error:

gcc -I/software/@sys/usr/include -I/software/@sys/usr/include/ncurses -I/software/@sys/usr/local/include -I/software/@sys/usr/local/openssl/include -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/software/@sys/usr/openssl/include -Iyes -I/software/@sys/usr/include -I/software/@sys/usr/include/ncurses -I/software/@sys/usr/local/include -I/software/@sys/usr/local/openssl/include -I/usr/local/include -I/usr/athena/include -I/usr/afsws/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c sshconnect1.c
sshconnect1.c: In function `send_afs_tokens':
sshconnect1.c:799: warning: implicit declaration of function `_IOW'
sshconnect1.c:799: parse error before `struct'
make: *** [sshconnect1.o] Error 1


I've added to includes.h one line:

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
+#include <sys/ioccom.h>
#include <sys/wait.h>

I've no clue if it's the proper place. As far as I remeber, this problem
with sshconnect1.c always appeared only on Solaris with krb4 (just do
google search).


After starting sshd from the openssh-SNAP-20020912, I see it's crashing. I
cannot find the core file anywhere, but I see:

/usr/local/sbin/sshd -f /usr/local/etc/sshd_config -D -d -d -d -p 333
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 333 on 0.0.0.0.
Server listening on 0.0.0.0 port 333.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 195.113.46.57 port 1642
debug1: Client protocol version 1.5; client software version OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
debug1: Local version string SSH-1.99-OpenSSH_3.4p1
debug3: privsep user:group 99:99
debug1: permanently_set_uid: 99/99
debug1: Sent 768 bit server key and 1024 bit host key.
debug2: Network child is on pid 14696
debug3: preauth child monitor started
debug1: Encryption type: 3des
debug3: mm_request_send entering: type 28
debug3: mm_request_receive_expect entering: type 29
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 28
debug3: mm_request_send entering: type 29
debug3: mm_ssh1_session_id entering
debug3: mm_request_send entering: type 30
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Received session key; encryption turned on.
debug2: monitor_read: 28 used once, disabling now
debug1: Installing crc compensation attack detector.
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 30
debug3: mm_answer_sessid entering
debug2: monitor_read: 30 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 37
debug1: Attempting authentication for mmokrejs.
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 37
debug1: Starting up PAM with username "mmokrejs"
debug3: Trying to reverse map address 195.113.46.57.
debug1: PAM setting rhost to "tao-eth.natur.cuni.cz"
debug2: monitor_read: 37 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for mmokrejs from 195.113.46.57 port 1642
debug3: mm_request_receive entering
debug1: Kerberos v4 krb_rd_req: Can't decode authenticator (krb_rd_req)
Failed kerberos for mmokrejs from 195.113.46.57 port 1642
debug3: mm_auth_rsa_key_allowed entering
debug3: mm_request_send entering: type 31
debug3: mm_request_receive_expect entering: type 32
debug3: mm_request_receive entering
debug3: monitor_read: checking request 31
debug3: mm_answer_rsa_keyallowed entering
debug1: temporarily_use_uid: 79/30 (e=0/1)
debug1: trying public RSA key file /usr/home/mmokrejs/.ssh/authorized_keys
debug1: restore_uid: 0/1
debug3: mm_request_send entering: type 32
Failed rsa for mmokrejs from 195.113.46.57 port 1642
debug3: mm_request_receive entering
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug1: Calling cleanup 0x585ac(0x0)
Segmentation Fault


Please note that sshd do NOT accept valid remote ticket of a user.
I seem to remeber a note of someone in some krb4 or ssh related list
stating, that there were some changes to openssh3.3 already or
so, requring ssh.$hostname principal being saved on the target
side where sshd is being run in order to accept kerberos ticket from
remote clients. I know I do not have the ssh.$hostname principal
in /etc/srvtab (will be fixed tommorow after our kerberos admins come),
but it seems after user enters password (as his ticket wasn't accepted),
sshd then creates in /tmp/tkt* valid ticket for the user (as I've entered
kerberos password and PAM worked fine), closes the ticket file and reopens
read-only, and then comes to look for srvtab, reads through it and dies.
I guess because it did not find the ssh.$hostname key.

If I remember right, in *THAT* email someone posted a patch to fix krb4
in openssh. He said something like "someone thought that sending a key
before the autentication is insecure and moved that part after the
autentication step ...". If someone knows which e-mail I'm talking about,
please send it to me and to the list with that patch. ;) I think it went
accross one of the ssh or krb or ssh-afs lists at umich.edu or monkey.org
or clinet.fi ....

The situation above happened with openssh-SNAP-20020912, krb4-1.2, Solaris
2.6. gcc and gnu as/ld.
-- 
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585









More information about the openssh-unix-dev mailing list