101361 – RHSA-2003:222-01 breaks active directory authenticated KRB5 PAM

Bug 101361 - RHSA-2003:222-01 breaks active directory authenticated KRB5 PAM

Summary: RHSA-2003:222-01 breaks active directory authenticated KRB5 PAM

Status:	CLOSED DUPLICATE of bug 101183
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	openssh
Sub Component:
Version:	9
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-07-31 07:08 UTC by Need Real Name
Modified:	2007-04-18 16:56 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2006-02-21 18:57:53 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Need Real Name 2003-07-31 07:08:47 UTC

Description of problem:  application of RHSA-2003:222-01 (upgrade to SSH) seems
to break the use of KRB5 PAM authentication for SSH logins.  It is possible to
log in as root but not as a user.  The session is immediately terminated by the
daemon.


Version-Release number of selected component (if applicable): known broken on
RH7.2 and 8.0 as per advisory.


How reproducible:  apply patches.  set machine to authenticate users using KRB5
with an active directory domain controller as the KRB5 server


Steps to Reproduce:
1. apply patches
2. set machine to authenticate users using KRB5 with an active directory domain
controller as the KRB5 server
3. ssh to machine as user - fails
4. use authconfig to unset KRB5 authentication
5. ssh to machine as user - works
    
Actual results:


Expected results:


Additional info:  rollback to previous version of SSH on affected machines works

Comment 1 Rich Graves 2003-07-31 21:47:39 UTC

Agreed here. Bad patch needs to be rolled back.

Same failures with ssh v1 and ssh v2, with or without X11 forwarding.

/usr/sbin/sshd -D -d -d dies with a segfault.

debug1: userauth-request for user rcgraves service ssh-connection method password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Segmentation fault
debug1: Calling cleanup 0x8070d70(0x0)

Comment 2 Ken Weaverling 2003-07-31 21:59:49 UTC

Possible dupe at bug 101183

Comment 3 Larry Cole 2003-08-14 18:29:01 UTC

I am having the same problem on several machines.

Comment 4 Mark Leary 2003-08-21 21:03:39 UTC

Temporary workaround:

I have not full investigated the security implications of this, but you can 
enable "Do not require Kerberos Preauthentication" in your AD accounts to get 
around this.

Comment 5 Michael Young 2003-08-21 21:23:59 UTC

There are two other possible workarounds, downgrade openssh to the previous
package, or upgrade the krb5 libraries to the copy on rawhide, though in the
latter case you will probably have to upgrade several other packages as well.

Comment 6 Alfred Hovdestad 2003-09-07 14:36:17 UTC

I have another workaround/some more information.  I found that the new rpm works
with a Sun krb5 server but not a Windows DC.  If I change my krb5.conf to
authenticate against a Sun krb5 server, I can login with ssh.  If I use the
Windows DC, ssh fails.

However, I can still login at the console with the Windows krb5 server, and I
can still generate a krb5 ticket (kinit) with the Windows DC.  Ditto for the
Sun.  It is only ssh that fails with the Windows DC.

Comment 7 Alfred Hovdestad 2003-09-16 20:04:39 UTC

This appears to be fixed with the latest update to openssh.


    Alfred

Comment 8 Mark J. Cox 2003-09-25 09:53:42 UTC


*** This bug has been marked as a duplicate of 101183 ***

Comment 9 Red Hat Bugzilla 2006-02-21 18:57:53 UTC

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.