Mailing List Archive: OpenSSH: Dev

gssapi not enabled

Index | Next | Previous | View Threaded

tcreedon at easystreet

Apr 3, 2009, 3:55 PM

Post #1 of 9 (1076 views)
Permalink

gssapi not enabled

I'm trying to get gssapi-with-mic to work but the enabled field in the
method struct is disabled I.e.

The gssapi-with-mic enable field s not enabled in in the *method struct; it
fails at:

if (authmethod_is_enabled(method))

in the authmethod_is_enabled(method) function call

using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2)

Questiion - what enables gssapi-with-mic?

Thanks

tedc
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

sxw at inf

Apr 3, 2009, 4:05 PM

Post #2 of 9 (1032 views)
Permalink

Re: gssapi not enabled [In reply to]

On 3 Apr 2009, at 23:55, Ted Creedon wrote:
>
> Questiion - what enables gssapi-with-mic?

The GSSAPIAuthentication configuration directive. See the ssh_config
man page.

S.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

tcreedon at easystreet

Apr 3, 2009, 4:29 PM

Post #3 of 9 (1031 views)
Permalink

Re: gssapi not enabled [In reply to]

sshd_conf aaadn ssh_conf

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

ssh -vvvv -o PreferredAuthentications=gssapi-with-mic localhost

debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-with-mic
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred:
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive).

when I troubleshoot using DDD I find that the gssapi-with-mic enable field
is off when the client checks up on it..

I'm trying to find where its set..

On Fri, Apr 3, 2009 at 4:05 PM, Simon Wilkinson <sxw [at] inf> wrote:

>
> On 3 Apr 2009, at 23:55, Ted Creedon wrote:
>
>>
>> Questiion - what enables gssapi-with-mic?
>>
>
> The GSSAPIAuthentication configuration directive. See the ssh_config man
> page.
>
> S.
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Jason.C.Burns at wellsfargo

Apr 3, 2009, 4:57 PM

Post #4 of 9 (1033 views)
Permalink

RE: gssapi not enabled [In reply to]

Perhaps you are missing the '--with-kerberos5=<path to krb5 or gssapi

Jason Burns
Information Security Technology
Cryptography Services -> Secure Communications and Data Encryption
UnixSecure Lead Engineer

> -----Original Message-----
> From:
openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com [at] mindrot
> [mailto:openssh-unix-dev-
> bounces+jason.c.burns=wellsfargo.com [at] mindrot] On Behalf Of Ted
> Creedon
> Sent: Friday, April 03, 2009 3:56 PM
> To: openssh-unix-dev [at] mindrot
> Subject: gssapi not enabled
>
> I'm trying to get gssapi-with-mic to work but the enabled field in the
> method struct is disabled I.e.
>
> The gssapi-with-mic enable field s not enabled in in the *method
> struct; it
> fails at:
>
> if (authmethod_is_enabled(method))
>
> in the authmethod_is_enabled(method) function call
>
> using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2)
>
> Questiion - what enables gssapi-with-mic?
>
> Thanks
>
> tedc
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

tcreedon at easystreet

Apr 3, 2009, 5:15 PM

Post #5 of 9 (1032 views)
Permalink

Re: gssapi not enabled [In reply to]

It looks like its all there..

./configure --with-ldflags="-L/usr/lib64" --with-cflags="-ggdb3" --prefix=/
--exec-prefix=/usr --libdir=/usr/lib64 --datadir=/usr --sysconfdir=/etc/ \
--with-ssl-engine --with-pam --with-rand-helper --with-kerberos5
--with-md5-passwords --with-libedit=/usr/lib64 --with-tcp-wrappers \
--disable-strip

checking for gss_init_sec_context in -lgssapi_krb5... yes
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no
checking for gssapi.h... (cached) yes
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking for gssapi_krb5.h... (cached) no
checking gssapi/gssapi_krb5.h usability... yes
checking gssapi/gssapi_krb5.h presence... yes
checking for gssapi/gssapi_krb5.h... yes
checking gssapi_generic.h usability... no
checking gssapi_generic.h presence... no
checking for gssapi_generic.h... no
checking gssapi/gssapi_generic.h usability... yes
checking gssapi/gssapi_generic.h presence... yes
checking for gssapi/gssapi_generic.h... yes
cOpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/
Askpass program: /usr/libexec/ssh-askpass
Manual pages: //share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: yes
SELinux support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
libedit support: yes
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: ssh-rand-helper
ssh-rand-helper collects from: Command hashing (timeout 200)

Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset
-fstack-protector-all -std=gnu99 -ggdb3
Preprocessor flags: -I/usr/lib64/include -I/usr/local/include
Linker flags: -L/usr/lib64/lib -fstack-protector-all -L/usr/lib64
-L/usr/local/lib
Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv -lresolv
-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
+for sshd: -lwrap -lpam -ldl

On Fri, Apr 3, 2009 at 4:57 PM, <Jason.C.Burns [at] wellsfargo> wrote:

> Perhaps you are missing the '--with-kerberos5=<path to krb5 or gssapi
> lib>' compile time option?
>
> Jason Burns
> Information Security Technology
> Cryptography Services -> Secure Communications and Data Encryption
> UnixSecure Lead Engineer
>
> > -----Original Message-----
> > From:
> openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com [at] mindrot
> > [mailto:openssh-unix-dev-
> > bounces+jason.c.burns=wellsfargo.com [at] mindrot] On Behalf Of Ted
> > Creedon
> > Sent: Friday, April 03, 2009 3:56 PM
> > To: openssh-unix-dev [at] mindrot
> > Subject: gssapi not enabled
> >
> > I'm trying to get gssapi-with-mic to work but the enabled field in the
> > method struct is disabled I.e.
> >
> > The gssapi-with-mic enable field s not enabled in in the *method
> > struct; it
> > fails at:
> >
> > if (authmethod_is_enabled(method))
> >
> > in the authmethod_is_enabled(method) function call
> >
> > using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2)
> >
> > Questiion - what enables gssapi-with-mic?
> >
> > Thanks
> >
> > tedc
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev [at] mindrot
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

sxw at inf

Apr 3, 2009, 5:26 PM

Post #6 of 9 (1028 views)
Permalink

Re: gssapi not enabled [In reply to]

On 4 Apr 2009, at 00:29, Ted Creedon wrote:

> sshd_conf aaadn ssh_conf
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> ssh -vvvv -o PreferredAuthentications=gssapi-with-mic localhost

Do you have a key in your KDC for host/localhost (I suspect not, and
you don't want one either)

Kerberos has to be done against real, addresses, which resolve to
hostnames for which entries have been created in your KDC, and
populated in your servers keytab.

Cheers,

Simon.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

tcreedon at easystreet

Apr 3, 2009, 5:40 PM

Post #7 of 9 (1030 views)
Permalink

Re: gssapi not enabled [In reply to]

Its not getting that far.. Its not trying to contact the krb5kdc, it bombs
out on the enabled switch

I think the problem may be in the compilation - I'm adding some includes but
I can't get it to find krb5-config

checking for krb5-config... no
checking whether we are using Heimdal... no
checking for library containing dn_expand... (cached) no
checking for gss_init_sec_context in -lgssapi_krb5... yes
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... yes
checking gssapi_krb5.h presence... no
configure: WARNING: gssapi_krb5.h: accepted by the compiler, rejected by the
preprocessor!
configure: WARNING: gssapi_krb5.h: proceeding with the compiler's result
checking for gssapi_krb5.h... yes
checking for gssapi.h... (cached) yes
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking for gssapi_krb5.h... (cached) yes
checking gssapi/gssapi_krb5.h usability... yes
checking gssapi/gssapi_krb5.h presence... yes
checking for gssapi/gssapi_krb5.h... yes
checking gssapi_generic.h usability... yes
checking gssapi_generic.h presence... no
configure: WARNING: gssapi_generic.h: accepted by the compiler, rejected by
the preprocessor!
configure: WARNING: gssapi_generic.h: proceeding with the compiler's result
checking for gssapi_generic.h... yes
checking gssapi/gssapi_generic.h usability... yes
checking gssapi/gssapi_generic.h presence... yes
checking for gssapi/gssapi_generic.h... yes

On Fri, Apr 3, 2009 at 5:26 PM, Simon Wilkinson <sxw [at] inf> wrote:

>
> On 4 Apr 2009, at 00:29, Ted Creedon wrote:
>
> sshd_conf aaadn ssh_conf
>>
>> # GSSAPI options
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> ssh -vvvv -o PreferredAuthentications=gssapi-with-mic localhost
>>
>
> Do you have a key in your KDC for host/localhost (I suspect not, and you
> don't want one either)
>
> Kerberos has to be done against real, addresses, which resolve to hostnames
> for which entries have been created in your KDC, and populated in your
> servers keytab.
>
> Cheers,
>
> Simon.
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Jason.C.Burns at wellsfargo

Apr 3, 2009, 5:45 PM

Post #8 of 9 (1032 views)
Permalink

RE: gssapi not enabled [In reply to]

> I think the problem may be in the compilation - I'm adding some
> includes but
> I can't get it to find krb5-config

Wherever you set --with-kerberos5 as, it looks at <dir>/bin/ for
krb5-config which it then uses to configure where to find libs, etc...

J

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

tcreedon at easystreet

Apr 3, 2009, 6:42 PM

Post #9 of 9 (1029 views)
Permalink

Re: gssapi not enabled [In reply to]

Progress! Now getting auth failures! krbf-conf is now found!

I'm using russ alberry's pam modules pam_krb5 and pam_afs_session

Not quite sure what to do next... Looks like the problem is in the PAM
stack..

<<<<<<<<<</etc/pam.d/sshd is :>>>>>>>>>>>>
auth required /lib64/security/pam_unix.so shadow nodelay
auth required /lib64/security/pam_nologin.so
account required /lib64/security/pam_unix.so
password required /lib64/security/pam_cracklib.so
password required /lib64/security/pam_unix.so shadow nullok
use_authtok
session required /lib64/security/pam_unix.so
session required /lib64/security/pam_limits.so
session optional /usr/local/lib/security/pam_krb5.so
session optional /usr/local/lib64/security/pam_afs_session.so

<<<<<<<<<<<<<<<<vaal/log/messages>>>>>>>>>>>>>>
Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request
3
Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_answer_authserv:
service=ssh-connection, style=
Apr 3 18:25:44 geronimo sshd[13595]: debug2: monitor_read: 3 used once,
disabling now
Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_request_receive entering
Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request
10
Apr 3 18:25:44 geronimo sshd[13595]: debug1: temporarily_use_uid: 0/0
(e=0/0)
Apr 3Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking
request 3
Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_answer_authserv:
service=ssh-connection, style=
Apr 3 18:25:44 geronimo sshd[13595]: debug2: monitor_read: 3 used once,
disabling now
Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_request_receive entering
Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request
10
Apr 3 18:25:44 geronimo sshd[13595]: debug1: temporarily_use_uid: 0/0
(e=0/0)
Apr 3 18:25:44 geronimo krb5kdc[9241]: AS_REQ (12 etypes {18 17 16 23 1 3 2
11 10 15 12 13}) 71.236.188.74: ISSUE: authtime 1238808344, etypes {rep=16
tkt=1 ses=16}, me_user [at] SERVER for krbtgt/SERVER.COM [at] SERVER
Apr 3 18:25:44 geronimo syslog-ng[2290]: last message repeated 2 times
Apr 3 18:25:44 geronimo sshd[13595]: debug1: restore_uid: 0/0
Apr 3 18:25:44 geronimo sshd[13595]: debug1: Kerberos password
authentication failed: Input/output error
Apr 3 18:25:44 geronimo sshd[13595]: debug1: krb5_cleanup_proc called
Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_passwd_conv called
with 1 messages
Apr 3 18:25:45 geronimo sshd[13595]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.xx.xx4
user=me_user
Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: password authentication
failed for me_user: Authentication failure
Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_answer_authpassword:
sending result 0
Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_send entering: type
11
Apr 3 18:25:45 geronimo sshd[13595]: Failed none for me_user from
71.236.188.74 port 60039 ssh2
Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_receive entering
Apr 3 18:25:45 geronimo sshd[13595]: debug1: do_cleanup
Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: cleanup
Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_thread_cleanup
entering 18:25:44 geronimo krb5kdc[9241]: AS_REQ (12 etypes {18 17 16 23 1 3
2 11 10 15 12 13}) 71.236.188.74: ISSUE: authtime 1238808344, etypes {rep=16
tkt=1 ses=16}, me_user [at] SERVER for krbtgt/SERVER.COM [at] SERVER
Apr 3 18:25:44 geronimo syslog-ng[2290]: last message repeated 2 times
Apr 3 18:25:44 geronimo sshd[13595]: debug1: restore_uid: 0/0
Apr 3 18:25:44 geronimo sshd[13595]: debug1: Kerberos password
authentication failed: Input/output error
Apr 3 18:25:44 geronimo sshd[13595]: debug1: krb5_cleanup_proc called
Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_passwd_conv called
with 1 messages
Apr 3 18:25:45 geronimo sshd[13595]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.xx.xx4
user=me_user
Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: password authentication
failed for me_user: Authentication failure
Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_answer_authpassword:
sending result 0
Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_send entering: type
11
Apr 3 18:25:45 geronimo sshd[13595]: Failed none for me_user from
71.236.188.74 port 60039 ssh2
Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_receive entering
Apr 3 18:25:45 geronimo sshd[13595]: debug1: do_cleanup
Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: cleanup
Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_thread_cleanup
entering
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads