Bug 151397 - openssh is not properly using kerberos for authentication
openssh is not properly using kerberos for authentication
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-17 11:29 EST by Abel Lopez
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-17 15:23:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sshd_config (2.38 KB, text/plain)
2005-03-17 14:25 EST, Abel Lopez
no flags Details
output of ssh -vvv (1.78 KB, text/plain)
2005-03-17 14:26 EST, Abel Lopez
no flags Details

  None (edit)
Description Abel Lopez 2005-03-17 11:29:10 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0

Description of problem:
With both /etc/pam.d/sshd and /etc/ssh/sshd_config configured for kerberos authentication, sshd does not consult pam_krb5.so. The only time it does is if you set "ChallengeResponseAuthentication yes" in sshd_config. When this option is set, sshd consults pam_krb5.so and authenticates with the kdc, however, the client is sent a "Password: Response:". In RedHat WS 3, openssh would just authenticate via the kerberos ticket

Version-Release number of selected component (if applicable):
openssh-server-3.9p1-8.RHEL4.1

How reproducible:
Always

Steps to Reproduce:
1. using a kerberos only ssh, attempt to ssh to a RedHat WS 4 system
2.
3.
  

Actual Results:  It either fails with no attempt at kerberos authentication, or it attempts kerberos authentication, but presents a "Password: Response:" to the client

Expected Results:  With "auth       sufficient   pam_krb5.so try_first_pass debug use_klog" in /etc/pam.d/sshd, and sshd_config set to "UsePAM yes" and KerberosAuthentication yes, it should work.

Additional info:

Adding logs later..
Comment 1 Abel Lopez 2005-03-17 11:29:30 EST
authpriv log with sshd in DEBUG
Mar 17 08:21:54 junkie sshd[2991]: Generating 768 bit RSA key.
Mar 17 08:21:55 junkie sshd[2991]: RSA key generation complete.
Mar 17 08:21:56 junkie sshd[2995]: debug1: rexec start in 4 out 4 newsock 4 pipe
6 sock 7
Mar 17 08:21:56 junkie sshd[2991]: debug1: Forked child 2995.
Mar 17 08:21:56 junkie sshd[2995]: debug1: inetd sockets after dupping: 3, 3
Mar 17 08:21:57 junkie sshd[2995]: Connection from ::ffff:207.217.XX.XX port 815
Mar 17 08:21:57 junkie sshd[2995]: debug1: Client protocol version 1.5; client
software version OpenSSH_3.2.3p1
Mar 17 08:21:57 junkie sshd[2995]: debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Mar 17 08:21:57 junkie sshd[2995]: debug1: Local version string
SSH-1.99-OpenSSH_3.9p1
Mar 17 08:21:57 junkie sshd[2995]: debug1: Sent 768 bit server key and 1024 bit
host key.
Mar 17 08:21:57 junkie sshd[2995]: debug1: Encryption type: blowfish
Mar 17 08:21:57 junkie sshd[2995]: debug1: Received session key; encryption
turned on.
Mar 17 08:21:57 junkie sshd[2995]: debug1: Installing crc compensation attack
detector.
Mar 17 08:21:57 junkie sshd[2995]: debug1: PAM: initializing for "alop"
Mar 17 08:21:57 junkie sshd[2995]: debug1: PAM: setting PAM_RHOST to "horai.XXX.XXX"
Mar 17 08:21:57 junkie sshd[2995]: debug1: PAM: setting PAM_TTY to "ssh"
Mar 17 08:21:57 junkie sshd[2995]: debug1: Attempting authentication for alop.
Mar 17 08:21:57 junkie sshd[2995]: debug1: Trying rhosts with RSA host
authentication for client user alop
Mar 17 08:21:57 junkie sshd[2995]: debug1: Rhosts RSA authentication: canonical
host horai.XXX.XXX
Mar 17 08:21:57 junkie sshd[2995]: debug1: temporarily_use_uid: 209833/30 (e=0/0)
Mar 17 08:21:57 junkie sshd[2995]: debug1: restore_uid: 0/0
Mar 17 08:21:57 junkie sshd[2995]: debug1: temporarily_use_uid: 209833/30 (e=0/0)
Mar 17 08:21:57 junkie sshd[2995]: debug1: restore_uid: 0/0
Mar 17 08:21:57 junkie sshd[2995]: debug1: Rhosts with RSA host authentication
denied: unknown or invalid host key
Mar 17 08:21:57 junkie sshd[2995]: Failed rhosts-rsa for alop from
::ffff:207.217.XX.XXX port 815 ruser alop
Mar 17 08:21:57 junkie sshd[2995]: Connection closed by ::ffff:207.217.XXX.XXX
Mar 17 08:21:57 junkie sshd[2995]: debug1: do_cleanup
Mar 17 08:21:57 junkie sshd[2995]: debug1: PAM: cleanup

authpriv with sshd in DEBUG, and "ChallengeResponseAuthentication yes" in
sshd_config

Mar 17 08:24:47 junkie sshd[3009]: debug1: rexec start in 4 out 4 newsock 4 pipe
6 sock 7
Mar 17 08:24:47 junkie sshd[3005]: debug1: Forked child 3009.
Mar 17 08:24:47 junkie sshd[3009]: debug1: inetd sockets after dupping: 3, 3
Mar 17 08:24:47 junkie sshd[3009]: Connection from ::ffff:207.217.XX.XXX port 814
Mar 17 08:24:47 junkie sshd[3009]: debug1: Client protocol version 1.5; client
software version OpenSSH_3.2.3p1
Mar 17 08:24:47 junkie sshd[3009]: debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Mar 17 08:24:47 junkie sshd[3009]: debug1: Local version string
SSH-1.99-OpenSSH_3.9p1
Mar 17 08:24:47 junkie sshd[3009]: debug1: Sent 768 bit server key and 1024 bit
host key.
Mar 17 08:24:47 junkie sshd[3009]: debug1: Encryption type: blowfish
Mar 17 08:24:47 junkie sshd[3009]: debug1: Received session key; encryption
turned on.
Mar 17 08:24:47 junkie sshd[3009]: debug1: Installing crc compensation attack
detector.
Mar 17 08:24:47 junkie sshd[3009]: debug1: PAM: initializing for "alop"
Mar 17 08:24:47 junkie sshd[3009]: debug1: PAM: setting PAM_RHOST to "horai.XXX.XXX"
Mar 17 08:24:47 junkie sshd[3009]: debug1: PAM: setting PAM_TTY to "ssh"
Mar 17 08:24:47 junkie sshd[3009]: debug1: Attempting authentication for alop.
Mar 17 08:24:48 junkie sshd[3009]: debug1: Trying rhosts with RSA host
authentication for client user alop
Mar 17 08:24:48 junkie sshd[3009]: debug1: Rhosts RSA authentication: canonical
host horai.XXX.XXX
Mar 17 08:24:48 junkie sshd[3009]: debug1: temporarily_use_uid: 209833/30 (e=0/0)
Mar 17 08:24:48 junkie sshd[3009]: debug1: restore_uid: 0/0
Mar 17 08:24:48 junkie sshd[3009]: debug1: temporarily_use_uid: 209833/30 (e=0/0)
Mar 17 08:24:48 junkie sshd[3009]: debug1: restore_uid: 0/0
Mar 17 08:24:48 junkie sshd[3009]: debug1: Rhosts with RSA host authentication
denied: unknown or invalid host key
Mar 17 08:24:48 junkie sshd[3009]: Failed rhosts-rsa for alop from
::ffff:207.217.XX.XXX port 814 ruser alop
Mar 17 08:24:48 junkie sshd[3009]: debug1: rcvd SSH_CMSG_AUTH_TIS
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: configured realm
'PAS.EARTHLINK.NET'
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: flags:
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: flag: no ignore_afs
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: flag: user_check
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: flag: no krb4_convert
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: flag: warn
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: ticket lifetime: 0
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: renewable lifetime: 0
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: banner: Kerberos 5
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: ccache dir: /tmp
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: keytab: /etc/krb5.keytab
Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: called to authenticate
'alop'Mar 17 08:24:48 junkie sshd[3010]: pam_krb5[3010]: authenticating
'alop@PAS.EARTHLINK.NET'
Mar 17 08:24:48 junkie sshd[3009]: debug1: sending challenge 'Password: '
Comment 2 Tomas Mraz 2005-03-17 12:11:14 EST
Could you attach your sshd_config and debugging output from the ssh client?
Comment 3 Abel Lopez 2005-03-17 14:25:36 EST
Created attachment 112102 [details]
sshd_config
Comment 4 Abel Lopez 2005-03-17 14:26:13 EST
Created attachment 112103 [details]
output of ssh -vvv
Comment 5 Tomas Mraz 2005-03-17 15:23:09 EST
Kerberos ticket forwarding support was replaced with GSSAPIAuthentication
method. However to be able to use this method you need openssh client >= 3.7p1.

See man sshd_config.

Note You need to log in before you can comment on or make changes to this bug.