Mailing List Archive: [Bug 614] bug in krb4 support for OpenSSH on IRIX 64-bit ABI

[Bug 614] bug in krb4 support for OpenSSH on IRIX 64-bit ABI

Jul 9, 2003, 9:24 PM

Post #1 of 5 (1182 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=614

Summary: bug in krb4 support for OpenSSH on IRIX 64-bit ABI
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: MIPS
URL: http://lib.natur.cuni.cz/komanek/webland/html/unix/opens
sh_patches.html
OS/Version: IRIX
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: komanek@natur.cuni.cz

Problem: 'ssh' binary works except krb4 authorization. Issuing

kinit username; ssh -v -1 host

at the end of the debug output one gets following:

debug1: Trying Kerberos v4 authentication.
debug1: Kerberos v4 authentication accepted.
Disconnecting: Kerberos v4 challenge failed!

So the problem is a post-authentication issue on SGI IRIX 6.5.x if OpenSSH is
compiled with 64-bit ABI (both 'cc -64' and 'gcc -mabi=64'). No such problem
appears if any of 32-bit ABIs is used.

Cause: Incorrectly calculated checksum after the Kerberos 4 server response.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 614] bug in krb4 support for OpenSSH on IRIX 64-bit ABI [ In reply to ]

bugzilla-daemon at mindrot

Jul 9, 2003, 9:27 PM

Post #2 of 5 (1166 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=614

komanek@natur.cuni.cz changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME

------- Additional Comments From komanek@natur.cuni.cz 2003-07-10 15:27 -------
Solution: you can either use 32-bit version of 'ssh' binary (note: you will need
32-bit versions of libraries in krb4 and openssl for linking this one binary, so
it is probably better to compile whole OpenSSH distribution in 32-bit version),
or to apply the following patch to 'sshconnect1.c' and recompile/reinstall OpenSSH:

*** ./openssh-3.6p1-orig/sshconnect1.c Wed Jul 9 13:55:37 2003
--- ./openssh-3.6p1/sshconnect1.c Wed Jul 9 15:31:42 2003
***************
*** 484,489 ****
--- 484,492 ----
/* Fetch the (incremented) checksum that we supplied in the request. */
memcpy((char *)&cksum, (char *)msg_data.app_data,sizeof(cksum));
+ #ifdef _MIPS_SIM_ABI64
+ cksum >>= 32;
+ #endif
cksum = ntohl(cksum);

/* If it matches, we're golden. */

Tested on: SGI Irix 6.5.20, OpenSSH 3.6p1, MIPSPro Compiler 7.2.1 (patched) /
SGI Freeware GCC 3.2.2

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 614] bug in krb4 support for OpenSSH on IRIX 64-bit ABI [ In reply to ]

bugzilla-daemon at mindrot

Jul 9, 2003, 10:16 PM

Post #3 of 5 (1165 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=614

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |

------- Additional Comments From dtucker@zip.com.au 2003-07-10 16:16 -------
Before closing this bug, should that patch be applied to the tree?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 614] bug in krb4 support for OpenSSH on IRIX 64-bit ABI [ In reply to ]

bugzilla-daemon at mindrot

Jul 10, 2003, 1:10 AM

Post #4 of 5 (1159 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=614

------- Additional Comments From djm@mindrot.org 2003-07-10 19:10 -------
maybe cksum should be u_int32_t?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 614] bug in krb4 support for OpenSSH on IRIX 64-bit ABI [ In reply to ]

bugzilla-daemon at mindrot

Jul 13, 2003, 10:54 PM

Post #5 of 5 (1158 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=614

------- Additional Comments From dtucker@zip.com.au 2003-07-14 16:54 -------
I don't speak kerberos but if cksum is supposed to be a 32bit entity then yeah,
I guess that would work.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.