Bug 20504

Summary:	[PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5
Product:	Base System	Reporter:	mark.andrews <mark.andrews>
Component:	misc	Assignee:	assar <assar>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	Unspecified
Hardware:	Any
OS:	Any

Description mark.andrews 2000-08-09 15:20:01 UTC

openssh and ssh.com disagree about which protocol values should be
used w/ kerberos5.

The patch below allows ssh from openssh to connect to sshd from
ssh.com.

Fix: 

ZGlmZiAtdXIgY3J5cHRvL29wZW5zc2gvcmVhZGNvbmYuYyBjcnlwdG8vb3BlbnNzaC9yZWFk
Y29uZi5jCi0tLSBjcnlwdG8vb3BlbnNzaC9yZWFkY29uZi5jCU1vbiBKdWwgMzEgMTc6NDc6
MzcgMjAwMAorKysgY3J5cHRvL29wZW5zc2gvcmVhZGNvbmYuYwlXZWQgQXVnICA5IDIyOjUx
OjA5IDIwMDAKQEAgLTk4LDcgKzk4LDcgQEAKIAlvS3JiNEF1dGhlbnRpY2F0aW9uLAogI2Vu
ZGlmIC8qIEtSQjQgKi8KICNpZmRlZiBLUkI1Ci0Jb0tyYjVBdXRoZW50aWNhdGlvbiwgb0ty
YjVUZ3RQYXNzaW5nLAorCW9LcmI1QXV0aGVudGljYXRpb24sIG9LcmI1VGd0UGFzc2luZywg
b0tyYjVPdmVyS3JiNCwKICNlbmRpZiAvKiBLUkI1ICovCiAjaWZkZWYgQUZTCiAJb0tyYjRU
Z3RQYXNzaW5nLCBvQUZTVG9rZW5QYXNzaW5nLApAQCAtMTMzLDYgKzEzMyw3IEBACiAjaWZk
ZWYgS1JCNQogCXsgImtlcmJlcm9zNWF1dGhlbnRpY2F0aW9uIiwgb0tyYjVBdXRoZW50aWNh
dGlvbiB9LAogCXsgImtlcmJlcm9zNXRndHBhc3NpbmciLCBvS3JiNVRndFBhc3NpbmcgfSwK
Kwl7ICJrZXJiZXJvczVvdmVya2VyYmVyb3M0Iiwgb0tyYjVPdmVyS3JiNCB9LAogI2VuZGlm
IC8qIEtSQjUgKi8KICNpZmRlZiBBRlMKIAl7ICJrZXJiZXJvczR0Z3RwYXNzaW5nIiwgb0ty
YjRUZ3RQYXNzaW5nIH0sCkBAIC0zMzEsNiArMzMyLDEwIEBACiAJY2FzZSBvS3JiNVRndFBh
c3Npbmc6CiAJCWludHB0ciA9ICZvcHRpb25zLT5rcmI1X3RndF9wYXNzaW5nOwogCQlnb3Rv
IHBhcnNlX2ZsYWc7CisKKwljYXNlIG9LcmI1T3ZlcktyYjQ6CisJCWludHB0ciA9ICZvcHRp
b25zLT5rcmI1X292ZXJfa3JiNDsKKwkJZ290byBwYXJzZV9mbGFnOwogI2VuZGlmIC8qIEtS
QjUgKi8KIAogI2lmZGVmIEFGUwpAQCAtNjc0LDYgKzY3OSw3IEBACiAjaWZkZWYgS1JCNQog
CW9wdGlvbnMtPmtyYjVfYXV0aGVudGljYXRpb24gPSAtMTsKIAlvcHRpb25zLT5rcmI1X3Rn
dF9wYXNzaW5nID0gLTE7CisJb3B0aW9ucy0+a3JiNV9vdmVyX2tyYjQgPSAtMTsKICNlbmRp
ZiAvKiBLUkI1ICovCiAjaWZkZWYgQUZTCiAJb3B0aW9ucy0+a3JiNF90Z3RfcGFzc2luZyA9
IC0xOwpAQCAtNzQzLDYgKzc0OSw4IEBACiAJCW9wdGlvbnMtPmtyYjVfYXV0aGVudGljYXRp
b24gPSAxOwogCWlmIChvcHRpb25zLT5rcmI1X3RndF9wYXNzaW5nID09IC0xKQogCQlvcHRp
b25zLT5rcmI1X3RndF9wYXNzaW5nID0gMTsKKwlpZiAob3B0aW9ucy0+a3JiNV9vdmVyX2ty
YjQgPT0gLTEpCisJCW9wdGlvbnMtPmtyYjVfb3Zlcl9rcmI0ID0gMDsKICNlbmRpZiAvKiBL
UkI1ICovCiAjaWZkZWYgQUZTCiAJaWYgKG9wdGlvbnMtPmtyYjRfdGd0X3Bhc3NpbmcgPT0g
LTEpCmRpZmYgLXVyIGNyeXB0by9vcGVuc3NoL3JlYWRjb25mLmggY3J5cHRvL29wZW5zc2gv
cmVhZGNvbmYuaAotLS0gY3J5cHRvL29wZW5zc2gvcmVhZGNvbmYuaAlGcmkgSnVuICA5IDE3
OjEwOjIwIDIwMDAKKysrIGNyeXB0by9vcGVuc3NoL3JlYWRjb25mLmgJV2VkIEF1ZyAgOSAy
Mjo0Mzo0MCAyMDAwCkBAIC00Nyw2ICs0Nyw3IEBACiAjaWZkZWYgS1JCNQogCWludAlrcmI1
X2F1dGhlbnRpY2F0aW9uOwogCWludAlrcmI1X3RndF9wYXNzaW5nOworCWludAlrcmI1X292
ZXJfa3JiNDsKICNlbmRpZiAvKiBLUkI1ICovCiAKICNpZmRlZiBBRlMKZGlmZiAtdXIgY3J5
cHRvL29wZW5zc2gvc3NoY29ubmVjdC5jIGNyeXB0by9vcGVuc3NoL3NzaGNvbm5lY3QuYwot
LS0gY3J5cHRvL29wZW5zc2gvc3NoY29ubmVjdC5jCUZyaSBKdW4gIDkgMTc6MTA6MjEgMjAw
MAorKysgY3J5cHRvL29wZW5zc2gvc3NoY29ubmVjdC5jCVdlZCBBdWcgIDkgMjM6MDE6MDEg
MjAwMApAQCAtNzI0LDcgKzcyNCw4IEBACiAgICAgIGdvdG8gb3V0OwogICB9CiAgIAotICBw
YWNrZXRfc3RhcnQoU1NIX0NNU0dfQVVUSF9LUkI1KTsKKyAgcGFja2V0X3N0YXJ0KG9wdGlv
bnMua3JiNV9vdmVyX2tyYjQgPworCSAgICAgICBTU0hfQ01TR19BVVRIX0tSQjQgOiBTU0hf
Q01TR19BVVRIX0tSQjUpOwogICBwYWNrZXRfcHV0X3N0cmluZygoY2hhciAqKSBhcC5kYXRh
LCBhcC5sZW5ndGgpOwogICBwYWNrZXRfc2VuZCgpOwogICBwYWNrZXRfd3JpdGVfd2FpdCgp
OwpAQCAtNzQwLDYgKzc0MSwxMSBAQAogICAgICAgICAgICAgICAgIHJldCA9IDA7CiAgICAg
ICAgICAgICAgICAgYnJlYWs7CiAKKyAgICAgICAgIGNhc2UgU1NIX1NNU0dfQVVUSF9LUkI0
X1JFU1BPTlNFOgorCQlpZiAoIW9wdGlvbnMua3JiNV9vdmVyX2tyYjQpCisJCQlnb3RvIGZh
aWw7CisJCS8qRkFMTFRIUk9VR0gqLworCiAgICAgICAgICBjYXNlIFNTSF9TTVNHX0FVVEhf
S1JCNV9SRVNQT05TRToKICAgICAgICAgICAgICAgICAvKiBTU0hfU01TR19BVVRIX0tSQjVf
U1VDQ0VTUyAqLwogICAgICAgICAgICAgICAgIGRlYnVnKCJLZXJiZXJvcyBWNSBhdXRoZW50
aWNhdGlvbiBhY2NlcHRlZC4iKTsKQEAgLTc1OCw2ICs3NjQsNyBAQAogCQlicmVhazsKIAkK
IAlkZWZhdWx0OgorCWZhaWw6CiAJCXBhY2tldF9kaXNjb25uZWN0KCJQcm90b2NvbCBlcnJv
ciBvbiBLZXJiZXJvcyBWNSByZXNwb25zZTogJWQiLCB0eXBlKTsKIAkJcmV0ID0gMDsgCiAJ
CWJyZWFrOwpAQCAtODUyLDcgKzg1OSw4IEBACiAgICAgIGdvdG8gb3V0OwogICB9CiAgIAot
ICBwYWNrZXRfc3RhcnQoU1NIX0NNU0dfSEFWRV9LUkI1X1RHVCk7CisgIHBhY2tldF9zdGFy
dChvcHRpb25zLmtyYjVfb3Zlcl9rcmI0ID8KKwkgICAgICAgU1NIX0NNU0dfSEFWRV9LUkI0
X1RHVCA6IFNTSF9DTVNHX0hBVkVfS1JCNV9UR1QpOwogICBwYWNrZXRfcHV0X3N0cmluZygo
Y2hhciAqKW91dGJ1Zi5kYXRhLCBvdXRidWYubGVuZ3RoKTsKICAgcGFja2V0X3NlbmQoKTsK
ICAgcGFja2V0X3dyaXRlX3dhaXQoKTsKZGlmZiAtdXIgY3J5cHRvL29wZW5zc2gvc3NoY29u
bmVjdDEuYyBjcnlwdG8vb3BlbnNzaC9zc2hjb25uZWN0MS5jCi0tLSBjcnlwdG8vb3BlbnNz
aC9zc2hjb25uZWN0MS5jCUZyaSBKdW4gIDkgMTc6MTA6MjEgMjAwMAorKysgY3J5cHRvL29w
ZW5zc2gvc3NoY29ubmVjdDEuYwlXZWQgQXVnICA5IDIzOjA1OjIyIDIwMDAKQEAgLTk1OSw3
ICs5NTksOSBAQAogI2VuZGlmIC8qIEtSQjQgKi8KIAogI2lmZGVmIEtSQjUKLQlpZiAoKHN1
cHBvcnRlZF9hdXRoZW50aWNhdGlvbnMgJiAoMSA8PCBTU0hfQVVUSF9LUkI1KSkgJiYKKwlp
ZiAoKChzdXBwb3J0ZWRfYXV0aGVudGljYXRpb25zICYgKDEgPDwgU1NIX0FVVEhfS1JCNSkp
IHx8CisJICAgICAoKHN1cHBvcnRlZF9hdXRoZW50aWNhdGlvbnMgJiAoMSA8PCBTU0hfQVVU
SF9LUkI0KSkgJiYKKwkgICAgICBvcHRpb25zLmtyYjVfb3Zlcl9rcmI0KSkgJiYKIAkgICAg
IG9wdGlvbnMua3JiNV9hdXRoZW50aWNhdGlvbil7CiAJCWtyYjVfY29udGV4dCBzc2hfY29u
dGV4dCA9IE5VTEw7CiAJCWtyYjVfYXV0aF9jb250ZXh0IGF1dGhfY29udGV4dCA9IE5VTEw7
Cg==
How-To-Repeat: Find a site running a sshd from ssh.com and try to connect to it with
ssh (openssh) compiled w/ kerberos5. 

/etc/make.conf
MAKE_KERBEROS5= yes

apply fixes in misc/20502 and misc/18995

~/.ssh/config
kerberos5authentication yes
kerberos5tgtpassing yes

Comment 1 Sheldon Hearn freebsd_committer

2000-08-10 11:13:33 UTC

Responsible Changed
From-To: freebsd-bugs->assar

Assar's looking at getting OpenSSH + Heimdal working nicely.

Comment 2 assar freebsd_committer

2001-03-04 02:24:45 UTC

Code for this has been added to -current, done somewhat differently
from your patch.  Could you verify that it works for you too?  Thanks.

/assar

Comment 3 assar freebsd_committer

2001-03-04 02:25:20 UTC

State Changed
From-To: open->feedback

code has been comitted to do this and mail sent to the originator of 
the PR asking him to test it

Comment 4 mark.andrews 2001-03-04 07:02:11 UTC

> Code for this has been added to -current, done somewhat differently
> from your patch.  Could you verify that it works for you too?  Thanks.
> 
> /assar

	It looks like the code that was commited addresses the
	server side of the issue.  It does not address the case
	where OpenSSH is the client which is what my patch addresses.

	Note 1 I have only got krb5 installed, no krb4 at all.

	Note 2 supported_authentications is only tested for
	SSH_AUTH_KRB5 in the cvs repository and that bit is NOT
	set by the Secure Shell sshd which sets only SSH_AUTH_KRB4
	(or as it sees it SSH_AUTH_KERBEROS).

	Mark

Unpatched:

/usr/obj/usr/src/secure/usr.bin/ssh/ssh -v bb.rc.vix.com
SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).
debug: Reading configuration data /usr/home/marka/.ssh/config
debug: Applying options for *.vix.com
debug: Applying options for *
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug: Connecting to bb.rc.vix.com [204.152.187.11] port 22.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version 2.4.0 SSH Secure Shell (non-commercial)
debug: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\.

debug: Local version string SSH-1.5-OpenSSH_2.3.0
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'bb.rc.vix.com' is known and matches the RSA host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Doing password authentication.
marka@bb.rc.vix.com's password: 
drugs:src {3086} % 

Patched 

ssh -v bb.rc.vix.com
SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).
debug: Reading configuration data /usr/home/marka/.ssh/config
debug: Applying options for *.vix.com
debug: Applying options for *
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug: Connecting to bb.rc.vix.com [204.152.187.11] port 22.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version 2.4.0 SSH Secure Shell (non-commercial)
debug: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\.

debug: Local version string SSH-1.5-OpenSSH_2.3.0
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'bb.rc.vix.com' is known and matches the RSA host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying Kerberos V5 authentication.
debug: Kerberos V5 authentication accepted.
debug: Requesting pty.
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting shell.
debug: Entering interactive session.
Last login: Thu Mar  1 21:58:41 2001 from drugs.dv.isc.org
BSDI BSD/OS 3.1 Kernel #4: Thu Oct 16 16:16:52 MDT 1997

** Nominum staff mail has been moved from bb to shell.nominum.com **

1 bb <marka> % 


	Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@nominum.com

Comment 5 assar freebsd_committer

2001-03-05 13:13:02 UTC

Mark.Andrews@nominum.com writes:
> 	It looks like the code that was commited addresses the
> 	server side of the issue.  It does not address the case
> 	where OpenSSH is the client which is what my patch addresses.

Weird, I did try that and it worked for me.

> 	Note 1 I have only got krb5 installed, no krb4 at all.

My testing has been with both krb4 and krb5.

> 	Note 2 supported_authentications is only tested for
> 	SSH_AUTH_KRB5 in the cvs repository and that bit is NOT
> 	set by the Secure Shell sshd which sets only SSH_AUTH_KRB4
> 	(or as it sees it SSH_AUTH_KERBEROS).

There's only a SSH_AUTH_KERBEROS now.

I'll re-build with only krb5 and test against the Finnish sshd again.

/assar

Comment 6 mark.andrews 2001-03-05 23:00:46 UTC

	I just ran "cvs update" again.  This time there was the following
	changes.  Note the auth-krb5.c is for heimdal 0.3e.  This set of
	changes appears to work.

	Thanks
	Mark

P auth-krb4.c
RCS file: /home/ncvs/src/crypto/openssh/auth-krb5.c,v
retrieving revision 1.2.2.2
retrieving revision 1.2.2.3
Merging differences between 1.2.2.2 and 1.2.2.3 into auth-krb5.c
M auth-krb5.c
P auth-passwd.c
P auth1.c
P auth2.c
P readconf.c
P readconf.h
P servconf.c
P servconf.h
P ssh.h
P sshconnect.c
P sshconnect1.c
P sshd.c

> Mark.Andrews@nominum.com writes:
> > 	It looks like the code that was commited addresses the
> > 	server side of the issue.  It does not address the case
> > 	where OpenSSH is the client which is what my patch addresses.
> 
> Weird, I did try that and it worked for me.
> 
> > 	Note 1 I have only got krb5 installed, no krb4 at all.
> 
> My testing has been with both krb4 and krb5.
> 
> > 	Note 2 supported_authentications is only tested for
> > 	SSH_AUTH_KRB5 in the cvs repository and that bit is NOT
> > 	set by the Secure Shell sshd which sets only SSH_AUTH_KRB4
> > 	(or as it sees it SSH_AUTH_KERBEROS).
> 
> There's only a SSH_AUTH_KERBEROS now.
> 
> I'll re-build with only krb5 and test against the Finnish sshd again.
> 
> /assar
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@nominum.com

Comment 7 assar freebsd_committer

2001-03-06 17:23:24 UTC

Mark.Andrews@nominum.com writes:
> 	I just ran "cvs update" again.  This time there was the following
> 	changes.  Note the auth-krb5.c is for heimdal 0.3e.  This set of
> 	changes appears to work.

Aha, ok.  It might have been that not everything was merged into
stable at that time.  I did my testing with -current (which I should
have mentioned).  Thanks for your feedback and do tell me if you have
any more problem with this.

/assar

Comment 8 assar freebsd_committer

2001-03-06 17:23:38 UTC

State Changed
From-To: feedback->closed

submitter says it works for him now