Bug 103241
| Summary: | openssh-3.1p1-8 problems with Kerberos authentication | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Brian Sneddon <b.sneddon> | ||||
| Component: | openssh | Assignee: | Nalin Dahyabhai <nalin> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 2.1 | ||||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2003-09-23 16:47:22 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 94085 [details]
GDB debug of sshd crash
This shows the results of gdb debugging the sshd crash which occurs when sshd
is run in debug mode.
I upgraded openssh to 3.1p1-14 and the problem appears to have been resolved. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030818 Description of problem: I have our RedHat AS 2.1 server configured to use Kerberos (via PAM) for user authentication. Local user accounts are created with invalid passwords (!! for the password field in /etc/shadow) so that the only way to login is through Kerberos authentication. When using the openssh-3.1p1-6 that is shipped with the server user authentication works fine. If I upgrade using up2date to openssh-3.1p1-8 then users are no longer able to ssh in using their Kerberos passwords. Users can still telnet in using their Kerberos passwords however. If I assign a password to the user account then the user is able to ssh in using that password, but still not using their Kerberos password. If I downgrade ssh back to 3.1p1-6 then users are once able to ssh in. As the server's not yet in production I was able to reload the operating system and reproduce the problem on a clean OS. Here is a snippet of the messages log from one of my login attempts: Aug 27 19:30:44 Omega sshd(pam_unix)[2295]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=all-evil.nj.americas.mtlg.org user=bsneddon Aug 27 19:30:44 Omega sshd[2295]: pam_krb5: authenticate error: Input/output error (5) Aug 27 19:30:44 Omega sshd[2295]: pam_krb5: authentication fails for `bsneddon' Aug 27 19:30:49 Omega sshd[2295]: pam_krb5: authentication succeeds for `bsneddon' When running sshd in debug mode I experience a slightly different problem. When attempting to ssh using a username which is in the Kerberos database sshd experiences a segmentation fault before the client is even prompted for a password. It's not even possible for me to ssh in using a locally configured password. When attempting to ssh using a username that is not in the Kerberos database, it works just fine. Here is the sshd debug when attempting an ssh connection using root (which has no entry in the Kerberos database): debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for root debug1: Starting up PAM with username "root" debug3: Trying to reverse map address 192.168.200.21. debug1: PAM setting rhost to "mis04.nj.americas.mtlg.org" debug2: input_userauth_request: try method none debug1: PAM Password authentication for "root" failed[7]: Authentication failure Failed none for root from 192.168.200.21 port 2653 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive Here is the sshd debug when attempting an ssh connection using bsneddon which is in the Kerberos database: debug1: userauth-request for user bsneddon service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for bsneddon debug1: Starting up PAM with username "bsneddon" debug3: Trying to reverse map address 192.168.200.21. debug1: PAM setting rhost to "mis04.nj.americas.mtlg.org" debug2: input_userauth_request: try method none Segmentation fault Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install RedHat AS 2.1 which comes with openssh-3.1p1-6. Enable Kerberos authentication during setup. 2. Run up2date which will update openssh to openssh-3.1p1-8. 3. Attempt to ssh using Kerberos password. Authentication will fail. Additional info: