Bug 21767

Summary: sample sshd_config errors for kerberos
Product: Documentation Reporter: Brian Candler <B.Candler>
Component: Books & ArticlesAssignee: Brian Feldman <green>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Brian Candler 2000-10-05 15:10:00 UTC 
The supplied sample /etc/ssh/sshd_config has the line
#KerberosAuthentication no
This should read
#Kerberos5Authentication no

Same applies to "Kerberos[5]TgtPassing".

The other Kerberos options (KerberosOrLocalPasswd, AFSTokenPassing,
KerberosTicketCleanup) appear to be completely spurious.

Fix: 

See above
How-To-Repeat: Uncomment 'KerberosAuthentication no', restart sshd, and watch it barf
Comment 1 nik freebsd_committer freebsd_triage 2000-10-28 23:48:32 UTC 
Responsible Changed
From-To: freebsd-doc->kris

Kris (in #bsdcode) thinks there's a problem, but that the suggested fix  
isn't right.  He's much more knowledgable in these affairs than I am, so 
he gets to play with the PR :-)
Comment 2 Kris Kennaway freebsd_committer freebsd_triage 2000-11-13 02:27:41 UTC 
Responsible Changed
From-To: kris->green

Green is taking over OpenSSH
Comment 3 cykyc 2002-04-05 05:56:04 UTC 
Hello,

FreeBSD novaV2 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Tue Feb 12
15:18:54 CST 2002     root@novaV2:/usr/obj/usr/src/sys/NOVAV2  i386

I'm noticing problems similar to PR docs/21767, where the
sshd_config doesn't like having KerberosAuthentication to no (or
any of the other Keberos options uncommented, such as
AFSTokenPassing no).  The fix mentioned did not work w/ my setup
(no other changes made in sshd_config).  I don't have any source on
the system, and sshd hasn't been patched, either.

Jon



__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
Comment 4 chern freebsd_committer freebsd_triage 2002-07-29 11:48:23 UTC 
State Changed
From-To: open->closed

MAKE_KERBEROS4=        yes 
MAKE_KERBEROS5=        yes 

must be defined in your /etc/make.conf and sshd recompiled to use any of 
sshd's kerberos features.  If not, these options are purposely left out; 
this is why they are commented it out and not set to 'no' in sshd_config.
Comment 5 Brian Candler 2002-07-30 21:49:05 UTC 
On Mon, Jul 29, 2002 at 03:49:50AM -0700, Chern Lee wrote:
> Synopsis: sample sshd_config errors for kerberos
> 
> State-Changed-From-To: open->closed
> State-Changed-By: chern
> State-Changed-When: Mon Jul 29 03:48:23 PDT 2002
> State-Changed-Why: 
> MAKE_KERBEROS4=        yes
> MAKE_KERBEROS5=        yes
> 
> must be defined in your /etc/make.conf and sshd recompiled to use any of
> sshd's kerberos features.  If not, these options are purposely left out;
> this is why they are commented it out and not set to 'no' in sshd_config.

Admittedly this PR is partially stale now, but I think the underlying point
still stands: it is not that the commands are commented out in sshd_config,
but that the _wrong_ commands are commented out.

On a FreeBSD-4.6-RELEASE system:

$ grep -i kerberos /etc/ssh/sshd_config 
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup no
#KerberosTgtPassing yes               <<<

But looking at /usr/src/crypto/openssh/servconf.c the correct options are:
        { "kerberosauthentication", sKerberosAuthentication },
        { "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
        { "kerberos4ticketcleanup", sKrb4TicketCleanup },
        { "kerberos5tgtpassing", sKrb5TgtPassing },
        { "kerberos4tgtpassing", sKrb4TgtPassing },

which apart from "KerberosAuthentication" are all different to the
commented-out examples in sshd_config.

Regards,

Brian Candler.
Comment 6 chern freebsd_committer freebsd_triage 2002-07-30 22:08:12 UTC 
FreeBSD 4.6-RELEASE had OpenSSH 2.9.  OpenSSH 3.4p1 was put into STABLE on
July 4th.  The problem as mentioned does not exist as mentioned,
kerberos(5|4), is no longer around.

- chern

From STABLE as of 7/19:

#if defined(KRB4) || defined(KRB5)
        { "kerberosauthentication", sKerberosAuthentication },
        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
        { "kerberosticketcleanup", sKerberosTicketCleanup },
#endif
#if defined(AFS) || defined(KRB5)
        { "kerberostgtpassing", sKerberosTgtPassing },


On Tue, 30 Jul 2002, Brian Candler wrote:

> On Mon, Jul 29, 2002 at 03:49:50AM -0700, Chern Lee wrote:
> > Synopsis: sample sshd_config errors for kerberos
> >
> > State-Changed-From-To: open->closed
> > State-Changed-By: chern
> > State-Changed-When: Mon Jul 29 03:48:23 PDT 2002
> > State-Changed-Why:
> > MAKE_KERBEROS4=        yes
> > MAKE_KERBEROS5=        yes
> >
> > must be defined in your /etc/make.conf and sshd recompiled to use any of
> > sshd's kerberos features.  If not, these options are purposely left out;
> > this is why they are commented it out and not set to 'no' in sshd_config.
>
> Admittedly this PR is partially stale now, but I think the underlying point
> still stands: it is not that the commands are commented out in sshd_config,
> but that the _wrong_ commands are commented out.
>
> On a FreeBSD-4.6-RELEASE system:
>
> $ grep -i kerberos /etc/ssh/sshd_config
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup no
> #KerberosTgtPassing yes               <<<
>
> But looking at /usr/src/crypto/openssh/servconf.c the correct options are:
>         { "kerberosauthentication", sKerberosAuthentication },
>         { "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
>         { "kerberos4ticketcleanup", sKrb4TicketCleanup },
>         { "kerberos5tgtpassing", sKrb5TgtPassing },
>         { "kerberos4tgtpassing", sKrb4TgtPassing },
>
> which apart from "KerberosAuthentication" are all different to the
> commented-out examples in sshd_config.
>
> Regards,
>
> Brian Candler.
>