Bug 103241 - openssh-3.1p1-8 problems with Kerberos authentication
openssh-3.1p1-8 problems with Kerberos authentication
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: openssh (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-27 20:27 EDT by Brian Sneddon
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-09-23 12:47:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
GDB debug of sshd crash (5.67 KB, text/plain)
2003-08-29 22:08 EDT, Brian Sneddon
no flags Details

  None (edit)
Description Brian Sneddon 2003-08-27 20:27:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030818

Description of problem:
I have our RedHat AS 2.1 server configured to use Kerberos (via PAM) for user 
authentication.  Local user accounts are created with invalid passwords (!! for 
the password field in /etc/shadow) so that the only way to login is through 
Kerberos authentication.  When using the openssh-3.1p1-6 that is shipped with 
the server user authentication works fine.  If I upgrade using up2date to 
openssh-3.1p1-8 then users are no longer able to ssh in using their Kerberos 
passwords.  Users can still telnet in using their Kerberos passwords however.  
If I assign a password to the user account then the user is able to ssh in using 
that password, but still not using their Kerberos password.  If I downgrade ssh 
back to 3.1p1-6 then users are once able to ssh in.  As the server's not yet in 
production I was able to reload the operating system and reproduce the problem 
on a clean OS. 
 
Here is a snippet of the messages log from one of my login attempts: 
Aug 27 19:30:44 Omega sshd(pam_unix)[2295]: authentication failure; logname= 
uid=0 euid=0 tty=NODEVssh ruser= rhost=all-evil.nj.americas.mtlg.org 
user=bsneddon 
Aug 27 19:30:44 Omega sshd[2295]: pam_krb5: authenticate error: Input/output 
error (5) 
Aug 27 19:30:44 Omega sshd[2295]: pam_krb5: authentication fails for `bsneddon' 
Aug 27 19:30:49 Omega sshd[2295]: pam_krb5: authentication succeeds for 
`bsneddon' 
 
 
When running sshd in debug mode I experience a slightly different problem. When 
attempting to ssh using a username which is in the Kerberos database sshd 
experiences a segmentation fault before the client is even prompted for a 
password.  It's not even possible for me to ssh in using a locally configured 
password.  When attempting to ssh using a username that is not in the Kerberos 
database, it works just fine. 
 
Here is the sshd debug when attempting an ssh connection using root (which has 
no entry in the Kerberos database): 
debug1: userauth-request for user root service ssh-connection method none 
debug1: attempt 0 failures 0 
debug2: input_userauth_request: setting up authctxt for root 
debug1: Starting up PAM with username "root" 
debug3: Trying to reverse map address 192.168.200.21. 
debug1: PAM setting rhost to "mis04.nj.americas.mtlg.org" 
debug2: input_userauth_request: try method none 
debug1: PAM Password authentication for "root" failed[7]: Authentication failure 
Failed none for root from 192.168.200.21 port 2653 ssh2 
debug1: userauth-request for user root service ssh-connection method 
keyboard-interactive 
debug1: attempt 1 failures 1 
debug2: input_userauth_request: try method keyboard-interactive 
 
Here is the sshd debug when attempting an ssh connection using bsneddon which is 
in the Kerberos database: 
debug1: userauth-request for user bsneddon service ssh-connection method none 
debug1: attempt 0 failures 0 
debug2: input_userauth_request: setting up authctxt for bsneddon 
debug1: Starting up PAM with username "bsneddon" 
debug3: Trying to reverse map address 192.168.200.21. 
debug1: PAM setting rhost to "mis04.nj.americas.mtlg.org" 
debug2: input_userauth_request: try method none 
Segmentation fault

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install RedHat AS 2.1 which comes with openssh-3.1p1-6.  Enable Kerberos
authentication during setup.
2. Run up2date which will update openssh to openssh-3.1p1-8.
3. Attempt to ssh using Kerberos password.  Authentication will fail.
    

Additional info:
Comment 1 Brian Sneddon 2003-08-29 22:08:15 EDT
Created attachment 94085 [details]
GDB debug of sshd crash

This shows the results of gdb debugging the sshd crash which occurs when sshd
is run in debug mode.
Comment 2 Brian Sneddon 2003-09-23 12:47:22 EDT
I upgraded openssh to 3.1p1-14 and the problem appears to have been resolved.

Note You need to log in before you can comment on or make changes to this bug.