Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
bugzilla-daemon at mindrot
Sep 5, 2003, 12:47 AM
Post #1 of 21 (2560 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635

Summary: openssh-SNAP-20030903: configure does not work well with
heimdal(krb5)
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: mmokrejs@natur.cuni.cz


I see configure did not manage to realize my heimdal installation does not have
libdes. When heimdal detects during build libcrypto installed, it does not build
libdes.

Second problem is that

$ ./configure --prefix=/usr/local --with-tcp-wrappers
--with-ssl-dir=/usr/local/openssl --with-prngd-socket=/tmp/entropy
--with-default-path=/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
--with-xauth=/usr/bin/X11/xauth --with-zlib --with-osfsia
--with-login=/usr/bin/login --with-privsep --with-kerberos5=/usr/heimdal
--with-afs=/usr/afsws
[cut]
checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build may fail
checking for gssapi.h... yes
checking for gssapi_krb5.h... no
[cut]
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
DNS support: no
PAM support: no
KerberosV support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include
Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib
Libraries: -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5
-ldes -lcom_err -lasn1 -lroken


You see, the "Linker flags" contain properly -L/usr/heimdal/lib , that's where
libgssapi.a is.

The problem is when heimdal is installed with support for openssl, it does not
build libdes:

configure:14199: checking whether we are using Heimdal
configure:14214: cc -c -O2 -arch ev56 -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/
openssl/include -I/usr/heimdal/include conftest.c >&5
cc: Warning: configure, line 14207: In the initializer for tmp, the referenced
type of the pointer value "heimdal_version" is const, but
the referenced type of the target of this assignment is not. (notconstqual)
char *tmp = heimdal_version;
-------------^
configure:14217: $? = 0
configure:14220: test -s conftest.o
configure:14223: $? = 0
configure:14225: result: yes
configure:14248: checking for library containing dn_expand
configure:14275: cc -o conftest -O2 -arch ev56 -I/usr/local/openssl/include
-Iyes -I/software/@sys/usr/include -I/usr/local/include -I/u
sr/local/openssl/include -I/usr/heimdal/include -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib conftest.c -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto >&5
configure:14278: $? = 0
configure:14281: test -s conftest
configure:14284: $? = 0
configure:14337: result: none required
configure:14344: checking for gss_init_sec_context in -lgssapi
configure:14371: cc -o conftest -O2 -arch ev56 -I/usr/local/openssl/include
-Iyes -I/software/@sys/usr/include -I/usr/local/include -I/u
sr/local/openssl/include -I/usr/heimdal/include -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib conftest.c -lgssapi -lkrb5 -ldes -lco
m_err -lasn1 -lroken -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -l
crypto >&5
ld:
Can't locate file for: -ldes
configure:14374: $? = 1
configure: failed program was:
#line 14352 "configure"
#include "confdefs.h"

/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char gss_init_sec_context ();
int
main ()
{
gss_init_sec_context ();
;
return 0;
}
configure:14391: result: no
configure:14400: checking for gss_init_sec_context in -lgssapi_krb5
configure:14427: cc -o conftest -O2 -arch ev56 -I/usr/local/openssl/include
-Iyes -I/software/@sys/usr/include -I/usr/local/include -I/u
sr/local/openssl/include -I/usr/heimdal/include -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib conftest.c -lgssapi_krb5 -lkrb5 -ldes
-lcom_err -lasn1 -lroken -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -la
ud -lcrypto >&5
ld:
Can't locate file for: -lgssapi_krb5
configure:14430: $? = 1
configure: failed program was:
#line 14408 "configure"
#include "confdefs.h"

/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char gss_init_sec_context ();
int
main ()
{
gss_init_sec_context ();
;
return 0;
}
configure:14447: result: no
configure:14456: WARNING: Cannot find any suitable gss-api library - build may fail
configure:14462: checking for gssapi.h
configure:14472: cc -E -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include conftest.c
configure:14478: $? = 0
configure:14497: result: yes
configure:14561: checking for gssapi_krb5.h
configure:14571: cc -E -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include -I/usr/heimdal/include/gssapi conftest.c
cc: Error: configure, line 14568: Cannot find file <gssapi_krb5.h> specified in
#include directive. (noinclfile)
#include <gssapi_krb5.h>
-^
configure:14577: $? = 1
configure: failed program was:
#line 14567 "configure"
#include "confdefs.h"
#include <gssapi_krb5.h>
configure:14596: result: no


To help you out with what is available and what isn't when latest cvs snapshot
of heimdal is installed(with support for openssl, i.e. without libdes.a build):

serow# ls /usr/heimdal/include
asn1_err.h fnmatch.h hdb_asn1.h krb5-private.h parse_bytes.h sl.h
base64.h getarg.h hdb_err.h krb5-protos.h parse_time.h ss
com_err.h glob.h heim_err.h krb5-types.h parse_units.h vis.h
com_right.h gssapi.h ifaddrs.h krb5.h resolve.h xdbm.h
der.h hdb-private.h k524_err.h krb5_asn1.h roken-common.h
editline.h hdb-protos.h kadm5 krb5_err.h roken.h
err.h hdb.h kafs.h otp.h rtbl.h
serow# ls /usr/heimdal/lib
lib45.a libeditline.la libkadm5clnt.la libkrb5.la libsl.a
libasn1.a libgssapi.a libkadm5srv.a libotp.a libsl.la
libasn1.la libgssapi.la libkadm5srv.la libotp.la libss.a
libcom_err.a libhdb.a libkafs.a libroken.a libss.la
libcom_err.la libhdb.la libkafs.la libroken.la
libeditline.a libkadm5clnt.a libkrb5.a libsia_krb5.so
serow#



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 5, 2003, 12:51 AM
Post #2 of 21 (2540 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635

mmokrejs@natur.cuni.cz changed:

What |Removed |Added
----------------------------------------------------------------------------
OS/Version|Linux |OSF/1





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 5, 2003, 12:59 AM
Post #3 of 21 (2551 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-05 18:59 -------
To be clear about OpenSSL version, that's what openssh/configure says(and I
aggree) :):

checking OpenSSL header version... 90702f (OpenSSL 0.9.7b 10 Apr 2003)
checking OpenSSL library version... 90702f (OpenSSL 0.9.7b 10 Apr 2003)
checking whether OpenSSL's headers match the library... yes
checking whether OpenSSL's PRNG is internally seeded... yes



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 5, 2003, 1:49 AM
Post #4 of 21 (2545 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-05 19:49 -------
The snapshot can be compiled, when user removed -ldes from config.status and
reshuffles libraries on the link commandline:

cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o
sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib
-Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
-lsecurity -ldb -lm -laud -lcrypto -lkrb5 -lcom_err -lasn1 -lroken
ld:
Unresolved:
DES_cbc_cksum
DES_cbc_encrypt
DES_pcbc_encrypt
RAND_write_file
RAND_file_name
UI_UTIL_read_pw_string
make: *** [sshd] Error 1
serow# cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o
sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib
-Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
-lsecurity -ldb -lm -laud -lkrb5 -lcom_err -lasn1 -lroken -lcrypto
serow#

But, the binaries do even try to use my kerberos5 tickets at all(tested with ssh
-v).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 5, 2003, 2:11 AM
Post #5 of 21 (2544 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-05 20:11 -------
Arrgh,

- But, the binaries do even try to use my kerberos5 tickets at all(tested with ssh
- -v).
+ But, the binaries do NOT even try to use my kerberos5 tickets at all(tested
with + ssh -v).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 9, 2003, 4:36 AM
Post #6 of 21 (2552 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-09 22:36 -------
The heimdal developers suggest using krb5-config instead of magic. The fallback
to magic in configure might be necessary as the script is not always installed.
They say krb5-config exists also in MIT kerberos5 version.

mokrejs@vrapenec$ krb5-config --libs gssapi
-L/usr/lib -lgssapi -lkrb5 -lasn1 -L/usr/athena/lib -ldes -lroken -lcrypt
mokrejs@vrapenec$ ls -la /usr/athena/lib/libdes*
-rw-r--r-- 1 root root 90978 Aug 26 02:58 /usr/athena/lib/libdes.a
-rwxr-xr-x 1 root root 697 Aug 26 02:58 /usr/athena/lib/libdes.la
mokrejs@vrapenec$ mokrejs@vrapenec$ krb5-config --cflags
-I/usr/include -I/usr/athena/include
mokrejs@vrapenec$

The --cflags gives you the path used when for example kerberos4 support has been
compile dinto kerberos5. Therefore, you always have to append include path to
find whee kerberos5 is installed(for example /usr/heimdal/include).

I believe you can ask heimdal developers for more info. ;)

From: Love <lha@stacken.kth.se>
Cc: heimdal-discuss@sics.se




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 9, 2003, 8:24 PM
Post #7 of 21 (2540 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From dtucker@zip.com.au 2003-09-10 14:24 -------
Created an attachment (id=396)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=396&action=view)
Try to use krb5-config where available

How's the attached patch? So far I've only tested configuring with MIT
kerberos but it seems to be OK.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 10, 2003, 2:31 AM
Post #8 of 21 (2556 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-10 20:31 -------
So I tested with heimdal and latest openssh snapshot-10-09-03:

checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... yes
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no

OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
DNS support: no
PAM support: no
KerberosV support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include -I/usr/heimdal/include
Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib
Libraries: -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto
-L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lroken -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib


I can compile fine but the produced binaries do not use kerberos:

serow# ./ssh -v -l mokrejs serow -p 8888
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serow' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
mokrejs@serow's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Tue Sep 9 22:47:01 MEST 2003 from sheep1.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Fri Dec 6 18:07:50 MET 2002
Tru64 UNIX German Support V5.1A (rev. 168)
Tru64 UNIX Czech Support V5.1A (rev. 168)
Tru64 UNIX Polish Support V5.1A (rev. 168)
Tru64 UNIX Russian Support V5.1A (rev. 168)
Tru64 UNIX Slovak Support V5.1A (rev. 168)
Tru64 UNIX Spanish Support V5.1A (rev. 168)
Tru64 UNIX Swedish Support V5.1A (rev. 168)


serow$ logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to serow closed.
debug1: Transferred: stdin 0, stdout 0, stderr 29 bytes in 2.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 13.6
debug1: Exit status 0
serow# ./ssh -v -l mokrejs serow -p 8888 -1
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.7p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'serow' is known and matches the RSA1 host key.
debug1: Found key in /.ssh/known_hosts:13
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
mokrejs@serow's password:
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Wed Sep 10 12:07:44 MEST 2003 from serow.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Fri Dec 6 18:07:50 MET 2002
Tru64 UNIX German Support V5.1A (rev. 168)
Tru64 UNIX Czech Support V5.1A (rev. 168)
Tru64 UNIX Polish Support V5.1A (rev. 168)
Tru64 UNIX Russian Support V5.1A (rev. 168)
Tru64 UNIX Slovak Support V5.1A (rev. 168)
Tru64 UNIX Spanish Support V5.1A (rev. 168)
Tru64 UNIX Swedish Support V5.1A (rev. 168)

serow$



I remember openssh used to use kerberos only in protocol one, and there used to
be a patch from Jan Iven that actually allowed kerberos to be used also in
protocol two. It seems those patches have been totally backed out with the
removal of krb4. BTW, I see still krb4 in the configure.

So, with the above patch, ssh and sshd are created as:

cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o
sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lroken
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o
sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib
-Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
-lsecurity -ldb -lm -laud -lcrypto -L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1
-lcrypto -lroken -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib

I remember there have been problems with order of libs which prevented kerberos
to be used, also crypt() from libc used to override the one from libcrypto. I
believe you can find the reports in email archives of openssh, look for
reporters from "natur.cuni.cz".


This is how it should look like:

mmokrejs@prfdec$ kauth mmokrejs
mmokrejs@NATUR.CUNI.CZ's Password:
mmokrejs@prfdec$ ssh -v -1 www
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for *
debug1: /usr/local/etc/ssh_config line 70: Deprecated option "UseRsh"
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to www [195.113.56.1] port 22.
debug1: Connection established.
debug1: identity file /usr/home3/mmokrejs/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'www' is known and matches the RSA1 host key.
debug1: Found key in /usr/home3/mmokrejs/.ssh/known_hosts:25
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos v4 authentication.
debug1: Kerberos v4 authentication accepted.
debug1: Kerberos v4 challenge successful.
debug1: Requesting compression at level 9.
debug1: Enabling compression at level 9.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting shell.
debug1: Entering interactive session.
Last successful login for mmokrejs: Wed Sep 10 11:10:57 CEST 2003 from
sheep1.gsf.de
Last unsuccessful login for mmokrejs: Thu Aug 28 08:54:23 CEST 2003 from
sheep1.gsf.de

Compaq Tru64 UNIX V5.1A (Rev. 1885); Tue Aug 12 21:09:54 CEST 2003

mmokrejs@prfdec$ logout
Connection to www closed.
debug1: Transferred: stdin 1, stdout 408, stderr 27 bytes in 43.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 9.5, stderr 0.6
debug1: Exit status 0
debug1: compress outgoing: raw data 212, compressed 210, factor 0.99
debug1: compress incoming: raw data 440, compressed 348, factor 0.79
mmokrejs@prfdec$


This installation was created by David Komanek



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 10, 2003, 2:52 AM
Post #9 of 21 (2553 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-10 20:52 -------
I tried the patch from http://www.sxw.org.uk/computing/patches/openssh.html with
openssh-3.6p1 with same configure commandline:

checking whether we are using Heimdal... yes
checking for dn_expand in -lresolv... yes
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build may fail
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no
configure: WARNING: AFS requires Kerberos IV support, build may fail


OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
PAM support: no
KerberosIV support: no
KerberosV support: yes
Smartcard support: no
AFS support: yes
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include -I/usr/afsws/include
Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib
-L/usr/afsws/lib
Libraries: -lwrap -lkafs -lresolv -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -lkrb5 -ldes -lcom_err -lasn1 -lroken

Well, this ecpects kerb5 to be compiled with the fallback to krb4 and with
libdes built(i.e. -ldes has to override symbols from lcrypto).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 10, 2003, 3:00 AM
Post #10 of 21 (2542 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From dtucker@zip.com.au 2003-09-10 21:00 -------
I've built the current CVS tree with patch id=396 and Heimdal (0.6) and one
thing I noticed different:
debug3: preferred gssapi,publickey,keyboard-interactive,password

What happens if you try "ssh -o PreferredAuthentication=gssapi" ?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 10, 2003, 3:08 AM
Post #11 of 21 (2552 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-10 21:08 -------
$ head ChangeLog
20030909
- (tim) [regress/Makefile] Fixes for building outside of a read-only
source tree.

20030908
- (tim) [configure.ac openbsd-compat/getrrsetbyname.c] wrap _getshort and
_getlong in #ifndef
- (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for
HEADER.ad in arpa/nameser.h
- (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@
$ ./ssh -o PreferredAuthentication=gssapi -p 8888
command-line: line 0: Bad configuration option: PreferredAuthentication
$



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 10, 2003, 3:12 AM
Post #12 of 21 (2542 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From dtucker@zip.com.au 2003-09-10 21:12 -------
Sorry, typo, make that "ssh -o PreferredAuthentications=gssapi" (note trailing "s")



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 10, 2003, 3:18 AM
Post #13 of 21 (2549 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-10 21:18 -------
No way ...

$ ./ssh -o PreferredAuthentications=gssapi -p 8888
Usage: ssh [options] host [command]
Options:
-l user Log in using this user name.
-n Redirect input from /dev/null.
-F config Config file (default: ~/.ssh/config).
-A Enable authentication agent forwarding.
-a Disable authentication agent forwarding (default).
-X Enable X11 connection forwarding.
-x Disable X11 connection forwarding (default).
-i file Identity for public key authentication (default: ~/.ssh/identity)
-t Tty; allocate a tty even if command is given.
-T Do not allocate a tty.
-v Verbose; display verbose debugging messages.
Multiple -v increases verbosity.
[cut]




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 12, 2003, 1:03 AM
Post #14 of 21 (2546 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From dtucker@zip.com.au 2003-09-12 19:03 -------
Could you please elaborate on "No way.."?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 12, 2003, 1:37 AM
Post #15 of 21 (2538 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From markus@openbsd.org 2003-09-12 19:37 -------
$ ./ssh -o PreferredAuthentications=gssapi -p 8888
Usage: ssh [options] host [command]

^^^^^

the command line is missing the hostname.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 15, 2003, 8:19 AM
Post #16 of 21 (2558 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-16 02:19 -------
It seems my response did not make it into bugzilla .... :(
Here's the output from the binary made on Sep 10.

# ./ssh -o PreferredAuthentications=gssapi -p 8888 -v -v -v 127.0.0.1
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7p1
debug1: match: OpenSSH_3.7p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 119/256
debug2: bits set: 1625/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug3: check_host_in_hostfile: match line 15
debug1: Host '127.0.0.1' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:15
debug2: bits set: 1574/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/identity (0)
debug2: key: /.ssh/id_rsa (0)
debug2: key: /.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
debug1: Calling cleanup 0x12006fab0(0x0)
#



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 15, 2003, 5:41 PM
Post #17 of 21 (2539 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From dtucker@zip.com.au 2003-09-16 11:41 -------
This bit from the debug "debug1: Authentications that can continue:
publickey,password,keyboard-interactive", looks like GSSAPI is not enabled on
the server side. Do you have "GSSAPIAuthentication yes" in the server's config?
It defaults to "no".

From "make sshd_config":
GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
The default is ``no''. Note that this option applies to protocol
version 2 only.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 16, 2003, 1:33 AM
Post #18 of 21 (2549 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-16 19:33 -------
I decided to reinstall heimdal and openssh again, both with latest snapshots.
With openssh-SNAP-20030916.tar.gz I see:

$ ./configure --prefix=/usr/local --with-tcp-wrappers
--with-ssl-dir=/software/@sys/usr/openssl --with-prngd-socket=/var/run/egd-pool
--with-default-path=/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/afs/bin:/software/@sys/usr/openssl/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/sbin:/usr/sbin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
--with-xauth=/usr/bin/X11/xauth --with-zlib --with-osfsia
--with-login=/usr/bin/login --with-privsep --with-afs=/usr/afsws
--with-kerberos5=/usr/heimdal
$make
[...]
$ cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o
sshconnect2.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -Lyes
-L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -lkrb5 -ldes -lcom_err -lasn1 -lroken
ld:
Can't locate file for: -ldes
make: *** [ssh] Error 1
$ cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o
sshconnect2.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -Lyes
-L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -lkrb5 -lcom_err -lasn1 -lroken
$

So I see configure still tries to guess which libraries are needed for KerberosV.


sshd has to be linked with -lcrypto as the very last, not like currently set:

cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o
sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/
-L/software/@sys/usr/openssl/lib -Lyes -L/usr/heimdal/lib -lssh
-lopenbsd-compat -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5
-lcom_err -lasn1 -lroken
ld:
Unresolved:
DES_cbc_cksum
DES_cbc_encrypt
DES_pcbc_encrypt
RAND_write_file
RAND_file_name
UI_UTIL_read_pw_string
make: *** [sshd] Error 1


Running "make test" gives:

ssh-keygen -if /usr/local/scratch/openssh/regress/dsa_ssh2.pub >
/usr/local/scratch/openssh/regress//t6.out2
chmod 600 /usr/local/scratch/openssh/regress//t6.out1
ssh-keygen -yf /usr/local/scratch/openssh/regress//t6.out1 | diff -
/usr/local/scratch/openssh/regress//t6.out2
ssh-keygen -q -t rsa -N '' -f /usr/local/scratch/openssh/regress//t7.out
ssh-keygen -lf /usr/local/scratch/openssh/regress//t7.out > /dev/null
ssh-keygen -Bf /usr/local/scratch/openssh/regress//t7.out > /dev/null
run test connect.sh ...
Connection closed by 127.0.0.1
ssh connect with protocol 1 failed
Connection closed by 127.0.0.1
ssh connect with protocol 2 failed
failed simple connect
make[1]: *** [t-exec] Error 1
make[1]: Leaving directory `/usr/local/scratch/openssh/regress'
make: *** [tests] Error 2


I've deleted ssh*config files and edited those newly installed version again.
Could you please improve the comments in shhd_config template so that it clear
that "Kerberos options" refer to kerberosIV only and that "GSSAPI options"
refers only to kerberosV? ;)


# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes



And, I tried to start sshd but get:

# ./sshd -p 8888
/usr/local/etc/sshd_config line 66: Unsupported option GSSAPIAuthentication
/usr/local/etc/sshd_config line 67: Unsupported option GSSAPICleanupCreds
#



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 16, 2003, 1:39 AM
Post #19 of 21 (2551 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-16 19:39 -------
I forgt to include how openssh-SNAP-20030916 got configured

checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build may fail
checking for gssapi.h... yes
checking for gssapi_krb5.h... no


config.h contains:


/* Define this is you want GSSAPI support in the version 2 protocol */
/* #undef GSSAPI */

/* Define if you want Kerberos 5 support */
#define KRB5 1

/* Define this if you are using the Heimdal version of Kerberos V5 */
#define HEIMDAL 1

/* Define if you want S/Key support */
/* #undef SKEY */

/* Define if you want TCP Wrappers support */
#define LIBWRAP 1



OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/afs/bin:/software/@sys/usr/openssl/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/sbin:/usr/sbin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
DNS support: no
PAM support: no
KerberosV support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/software/@sys/usr/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include
Linker flags: -L/software/@sys/usr/openssl/lib -Lyes -L/usr/heimdal/lib
Libraries: -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5
-ldes -lcom_err -lasn1 -lroken



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 16, 2003, 1:49 AM
Post #20 of 21 (2542 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-16 19:49 -------
So I've defined GSSAPI in config.h. To get things compiled, I had to put
-lgssapi in fron of -lkrb5 and again put -lcrypto at the end of linker commadline.

Then, I get:

serow# ./ssh -o PreferredAuthentications=gssapi -p 8888 -v -v -v serow -1
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7p1
debug1: match: OpenSSH_3.7p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.7p1
debug1: Waiting for server public key.
Connection closed by 146.107.217.72
debug1: Calling cleanup 0x1200708d0(0x0)
serow# ./ssh -o PreferredAuthentications=gssapi -p 8888 -v -v -v serow
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7p1
debug1: match: OpenSSH_3.7p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7p1
debug1: SSH2_MSG_KEXINIT sent
Connection closed by 146.107.217.72
debug1: Calling cleanup 0x1200708d0(0x0)
serow#

I guess the server crashes somewhere.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5) [ In reply to ]
bugzilla-daemon at mindrot
Sep 17, 2003, 11:13 AM
Post #21 of 21 (2547 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=635





------- Additional Comments From mmokrejs@natur.cuni.cz 2003-09-18 05:13 -------
I had to edit config.h to get it working with password authentication by setting
these manually(the first 3 are platform specific - already in another bugreport,
the last is a bug reported here):

/* Define if your platform breaks doing a seteuid before a setuid */
#define SETEUID_BREAKS_SETUID

/* Define if your setreuid() is broken */
#define BROKEN_SETREUID

/* Define if your setregid() is broken */
#define BROKEN_SETREGID

/* Define this is you want GSSAPI support in the version 2 protocol */
#define GSSAPI



Unfortunately, the GSSAPI bug is still present. To summarize, I have set two
GSS* options in sshd_config, I have compiled with heimdal, defined GSSAPI on
config.h. Then, I get:

$ ssh -o PreferredAuthentications=gssapi -v -v -v -l mokrejs -p 443 serow
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to serow [146.107.217.72] port 443.
debug1: Connection established.
debug1: identity file /home/mokrejs/.ssh/identity type 0
debug1: identity file /home/mokrejs/.ssh/id_rsa type 0
debug3: Not a RSA1 key file /home/mokrejs/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/mokrejs/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p1
debug1: match: OpenSSH_3.7.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 1613/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/mokrejs/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 24
debug3: check_host_in_hostfile: filename /home/mokrejs/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 24
debug1: Host 'serow' is known and matches the RSA host key.
debug1: Found key in /home/mokrejs/.ssh/known_hosts:24
debug2: bits set: 1585/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi,password,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi,password,keyboard-interactive
debug3: preferred gssapi
debug3: authmethod_lookup gssapi
debug3: remaining preferred:
debug2: Unrecognized authentication method name: gssapi
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi,password,keyboard-interactive).
debug1: Calling cleanup 0x8062440(0x0)
$

# ./sshd -p 443 -D -d -d -d -d
debug2: read_server_config: filename /usr/local/etc/sshd_config
debug1: sshd version OpenSSH_3.7.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 443 on 0.0.0.0.
Server listening on 0.0.0.0 port 443.
Generating 768 bit RSA key.
RSA key generation complete.

debug1: Server will not fork when running in debugging mode.
Connection from 146.107.217.207 port 34118
debug1: Client protocol version 2.0; client software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p1
debug2: Network child is on pid 40616
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 15:22
debug1: permanently_set_uid: 15/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 2048 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 146/256
debug2: bits set: 1585/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1613/3191
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 14005b0e0(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user mokrejs service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for mokrejs
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: Trying to reverse map address 146.107.217.207.
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for mokrejs from 146.107.217.207 port 34118 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed none for mokrejs from 146.107.217.207 port 34118 ssh2
Connection closed by 146.107.217.207
debug1: Calling cleanup 0x120082de0(0x0)
#



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal