bugzilla-daemon at mindrot.org
2003-Sep-05 08:47 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635
Summary: openssh-SNAP-20030903: configure does not work well with
heimdal(krb5)
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: mmokrejs at natur.cuni.cz
I see configure did not manage to realize my heimdal installation does not have
libdes. When heimdal detects during build libcrypto installed, it does not build
libdes.
Second problem is that
$ ./configure --prefix=/usr/local --with-tcp-wrappers
--with-ssl-dir=/usr/local/openssl --with-prngd-socket=/tmp/entropy
--with-default-path=/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
--with-xauth=/usr/bin/X11/xauth --with-zlib --with-osfsia
--with-login=/usr/bin/login --with-privsep --with-kerberos5=/usr/heimdal
--with-afs=/usr/afsws
[cut]
checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build may fail
checking for gssapi.h... yes
checking for gssapi_krb5.h... no
[cut]
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
DNS support: no
PAM support: no
KerberosV support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include
Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib
Libraries: -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5
-ldes -lcom_err -lasn1 -lroken
You see, the "Linker flags" contain properly -L/usr/heimdal/lib ,
that's where
libgssapi.a is.
The problem is when heimdal is installed with support for openssl, it does not
build libdes:
configure:14199: checking whether we are using Heimdal
configure:14214: cc -c -O2 -arch ev56 -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/
openssl/include -I/usr/heimdal/include conftest.c >&5
cc: Warning: configure, line 14207: In the initializer for tmp, the referenced
type of the pointer value "heimdal_version" is const, but
the referenced type of the target of this assignment is not. (notconstqual)
char *tmp = heimdal_version;
-------------^
configure:14217: $? = 0
configure:14220: test -s conftest.o
configure:14223: $? = 0
configure:14225: result: yes
configure:14248: checking for library containing dn_expand
configure:14275: cc -o conftest -O2 -arch ev56 -I/usr/local/openssl/include
-Iyes -I/software/@sys/usr/include -I/usr/local/include -I/u
sr/local/openssl/include -I/usr/heimdal/include -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib conftest.c -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto >&5
configure:14278: $? = 0
configure:14281: test -s conftest
configure:14284: $? = 0
configure:14337: result: none required
configure:14344: checking for gss_init_sec_context in -lgssapi
configure:14371: cc -o conftest -O2 -arch ev56 -I/usr/local/openssl/include
-Iyes -I/software/@sys/usr/include -I/usr/local/include -I/u
sr/local/openssl/include -I/usr/heimdal/include -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib conftest.c -lgssapi -lkrb5 -ldes -lco
m_err -lasn1 -lroken -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -l
crypto >&5
ld:
Can't locate file for: -ldes
configure:14374: $? = 1
configure: failed program was:
#line 14352 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char gss_init_sec_context ();
int
main ()
{
gss_init_sec_context ();
;
return 0;
}
configure:14391: result: no
configure:14400: checking for gss_init_sec_context in -lgssapi_krb5
configure:14427: cc -o conftest -O2 -arch ev56 -I/usr/local/openssl/include
-Iyes -I/software/@sys/usr/include -I/usr/local/include -I/u
sr/local/openssl/include -I/usr/heimdal/include -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib conftest.c -lgssapi_krb5 -lkrb5 -ldes
-lcom_err -lasn1 -lroken -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -la
ud -lcrypto >&5
ld:
Can't locate file for: -lgssapi_krb5
configure:14430: $? = 1
configure: failed program was:
#line 14408 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char gss_init_sec_context ();
int
main ()
{
gss_init_sec_context ();
;
return 0;
}
configure:14447: result: no
configure:14456: WARNING: Cannot find any suitable gss-api library - build may
fail
configure:14462: checking for gssapi.h
configure:14472: cc -E -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include conftest.c
configure:14478: $? = 0
configure:14497: result: yes
configure:14561: checking for gssapi_krb5.h
configure:14571: cc -E -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include -I/usr/heimdal/include/gssapi conftest.c
cc: Error: configure, line 14568: Cannot find file <gssapi_krb5.h>
specified in
#include directive. (noinclfile)
#include <gssapi_krb5.h>
-^
configure:14577: $? = 1
configure: failed program was:
#line 14567 "configure"
#include "confdefs.h"
#include <gssapi_krb5.h>
configure:14596: result: no
To help you out with what is available and what isn't when latest cvs
snapshot
of heimdal is installed(with support for openssl, i.e. without libdes.a build):
serow# ls /usr/heimdal/include
asn1_err.h fnmatch.h hdb_asn1.h krb5-private.h parse_bytes.h sl.h
base64.h getarg.h hdb_err.h krb5-protos.h parse_time.h ss
com_err.h glob.h heim_err.h krb5-types.h parse_units.h vis.h
com_right.h gssapi.h ifaddrs.h krb5.h resolve.h xdbm.h
der.h hdb-private.h k524_err.h krb5_asn1.h roken-common.h
editline.h hdb-protos.h kadm5 krb5_err.h roken.h
err.h hdb.h kafs.h otp.h rtbl.h
serow# ls /usr/heimdal/lib
lib45.a libeditline.la libkadm5clnt.la libkrb5.la libsl.a
libasn1.a libgssapi.a libkadm5srv.a libotp.a libsl.la
libasn1.la libgssapi.la libkadm5srv.la libotp.la libss.a
libcom_err.a libhdb.a libkafs.a libroken.a libss.la
libcom_err.la libhdb.la libkafs.la libroken.la
libeditline.a libkadm5clnt.a libkrb5.a libsia_krb5.so
serow#
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-05 08:51 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635
mmokrejs at natur.cuni.cz changed:
What |Removed |Added
----------------------------------------------------------------------------
OS/Version|Linux |OSF/1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-05 08:59 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-05 18:59 ------- To be clear about OpenSSL version, that's what openssh/configure says(and I aggree) :): checking OpenSSL header version... 90702f (OpenSSL 0.9.7b 10 Apr 2003) checking OpenSSL library version... 90702f (OpenSSL 0.9.7b 10 Apr 2003) checking whether OpenSSL's headers match the library... yes checking whether OpenSSL's PRNG is internally seeded... yes ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-05 09:49 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-05 19:49 ------- The snapshot can be compiled, when user removed -ldes from config.status and reshuffles libraries on the link commandline: cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5 -lcom_err -lasn1 -lroken ld: Unresolved: DES_cbc_cksum DES_cbc_encrypt DES_pcbc_encrypt RAND_write_file RAND_file_name UI_UTIL_read_pw_string make: *** [sshd] Error 1 serow# cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lkrb5 -lcom_err -lasn1 -lroken -lcrypto serow# But, the binaries do even try to use my kerberos5 tickets at all(tested with ssh -v). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-05 10:11 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-05 20:11 ------- Arrgh, - But, the binaries do even try to use my kerberos5 tickets at all(tested with ssh - -v). + But, the binaries do NOT even try to use my kerberos5 tickets at all(tested with + ssh -v). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-09 12:36 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-09 22:36 ------- The heimdal developers suggest using krb5-config instead of magic. The fallback to magic in configure might be necessary as the script is not always installed. They say krb5-config exists also in MIT kerberos5 version. mokrejs at vrapenec$ krb5-config --libs gssapi -L/usr/lib -lgssapi -lkrb5 -lasn1 -L/usr/athena/lib -ldes -lroken -lcrypt mokrejs at vrapenec$ ls -la /usr/athena/lib/libdes* -rw-r--r-- 1 root root 90978 Aug 26 02:58 /usr/athena/lib/libdes.a -rwxr-xr-x 1 root root 697 Aug 26 02:58 /usr/athena/lib/libdes.la mokrejs at vrapenec$ mokrejs at vrapenec$ krb5-config --cflags -I/usr/include -I/usr/athena/include mokrejs at vrapenec$ The --cflags gives you the path used when for example kerberos4 support has been compile dinto kerberos5. Therefore, you always have to append include path to find whee kerberos5 is installed(for example /usr/heimdal/include). I believe you can ask heimdal developers for more info. ;) From: Love <lha at stacken.kth.se> Cc: heimdal-discuss at sics.se ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 04:24 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From dtucker at zip.com.au 2003-09-10 14:24 ------- Created an attachment (id=396) --> (http://bugzilla.mindrot.org/attachment.cgi?id=396&action=view) Try to use krb5-config where available How's the attached patch? So far I've only tested configuring with MIT kerberos but it seems to be OK. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 10:31 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635
------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-10 20:31
-------
So I tested with heimdal and latest openssh snapshot-10-09-03:
checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... yes
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
DNS support: no
PAM support: no
KerberosV support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include -I/usr/heimdal/include
Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib
Libraries: -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto
-L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lroken -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
I can compile fine but the produced binaries do not use kerberos:
serow# ./ssh -v -l mokrejs serow -p 8888
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'serow' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
mokrejs at serow's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Tue Sep 9 22:47:01 MEST 2003 from sheep1.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Fri Dec 6 18:07:50 MET 2002
Tru64 UNIX German Support V5.1A (rev. 168)
Tru64 UNIX Czech Support V5.1A (rev. 168)
Tru64 UNIX Polish Support V5.1A (rev. 168)
Tru64 UNIX Russian Support V5.1A (rev. 168)
Tru64 UNIX Slovak Support V5.1A (rev. 168)
Tru64 UNIX Spanish Support V5.1A (rev. 168)
Tru64 UNIX Swedish Support V5.1A (rev. 168)
serow$ logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to serow closed.
debug1: Transferred: stdin 0, stdout 0, stderr 29 bytes in 2.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 13.6
debug1: Exit status 0
serow# ./ssh -v -l mokrejs serow -p 8888 -1
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to serow [146.107.217.72] port 8888.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.7p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'serow' is known and matches the RSA1 host key.
debug1: Found key in /.ssh/known_hosts:13
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
mokrejs at serow's password:
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Wed Sep 10 12:07:44 MEST 2003 from serow.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Fri Dec 6 18:07:50 MET 2002
Tru64 UNIX German Support V5.1A (rev. 168)
Tru64 UNIX Czech Support V5.1A (rev. 168)
Tru64 UNIX Polish Support V5.1A (rev. 168)
Tru64 UNIX Russian Support V5.1A (rev. 168)
Tru64 UNIX Slovak Support V5.1A (rev. 168)
Tru64 UNIX Spanish Support V5.1A (rev. 168)
Tru64 UNIX Swedish Support V5.1A (rev. 168)
serow$
I remember openssh used to use kerberos only in protocol one, and there used to
be a patch from Jan Iven that actually allowed kerberos to be used also in
protocol two. It seems those patches have been totally backed out with the
removal of krb4. BTW, I see still krb4 in the configure.
So, with the above patch, ssh and sshd are created as:
cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o
sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib -Lyes
-L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lroken
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o
sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o
auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o
auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o
kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib
-Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz
-L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib
-lsecurity -ldb -lm -laud -lcrypto -L/usr/heimdal/lib -lgssapi -lkrb5 -lasn1
-lcrypto -lroken -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib
I remember there have been problems with order of libs which prevented kerberos
to be used, also crypt() from libc used to override the one from libcrypto. I
believe you can find the reports in email archives of openssh, look for
reporters from "natur.cuni.cz".
This is how it should look like:
mmokrejs at prfdec$ kauth mmokrejs
mmokrejs at NATUR.CUNI.CZ's Password:
mmokrejs at prfdec$ ssh -v -1 www
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for *
debug1: /usr/local/etc/ssh_config line 70: Deprecated option "UseRsh"
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to www [195.113.56.1] port 22.
debug1: Connection established.
debug1: identity file /usr/home3/mmokrejs/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'www' is known and matches the RSA1 host key.
debug1: Found key in /usr/home3/mmokrejs/.ssh/known_hosts:25
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos v4 authentication.
debug1: Kerberos v4 authentication accepted.
debug1: Kerberos v4 challenge successful.
debug1: Requesting compression at level 9.
debug1: Enabling compression at level 9.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting shell.
debug1: Entering interactive session.
Last successful login for mmokrejs: Wed Sep 10 11:10:57 CEST 2003 from
sheep1.gsf.de
Last unsuccessful login for mmokrejs: Thu Aug 28 08:54:23 CEST 2003 from
sheep1.gsf.de
Compaq Tru64 UNIX V5.1A (Rev. 1885); Tue Aug 12 21:09:54 CEST 2003
mmokrejs at prfdec$ logout
Connection to www closed.
debug1: Transferred: stdin 1, stdout 408, stderr 27 bytes in 43.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 9.5, stderr 0.6
debug1: Exit status 0
debug1: compress outgoing: raw data 212, compressed 210, factor 0.99
debug1: compress incoming: raw data 440, compressed 348, factor 0.79
mmokrejs at prfdec$
This installation was created by David Komanek
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 10:52 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635
------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-10 20:52
-------
I tried the patch from http://www.sxw.org.uk/computing/patches/openssh.html with
openssh-3.6p1 with same configure commandline:
checking whether we are using Heimdal... yes
checking for dn_expand in -lresolv... yes
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build may fail
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no
configure: WARNING: AFS requires Kerberos IV support, build may fail
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
PAM support: no
KerberosIV support: no
KerberosV support: yes
Smartcard support: no
AFS support: yes
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/usr/local/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include -I/usr/afsws/include
Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/heimdal/lib
-L/usr/afsws/lib
Libraries: -lwrap -lkafs -lresolv -lrt -lz -L/usr/local/lib
-L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm
-laud -lcrypto -lkrb5 -ldes -lcom_err -lasn1 -lroken
Well, this ecpects kerb5 to be compiled with the fallback to krb4 and with
libdes built(i.e. -ldes has to override symbols from lcrypto).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 11:00 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From dtucker at zip.com.au 2003-09-10 21:00 ------- I've built the current CVS tree with patch id=396 and Heimdal (0.6) and one thing I noticed different: debug3: preferred gssapi,publickey,keyboard-interactive,password What happens if you try "ssh -o PreferredAuthentication=gssapi" ? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 11:08 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-10 21:08 ------- $ head ChangeLog 20030909 - (tim) [regress/Makefile] Fixes for building outside of a read-only source tree. 20030908 - (tim) [configure.ac openbsd-compat/getrrsetbyname.c] wrap _getshort and _getlong in #ifndef - (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for HEADER.ad in arpa/nameser.h - (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@ $ ./ssh -o PreferredAuthentication=gssapi -p 8888 command-line: line 0: Bad configuration option: PreferredAuthentication $ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 11:12 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From dtucker at zip.com.au 2003-09-10 21:12 ------- Sorry, typo, make that "ssh -o PreferredAuthentications=gssapi" (note trailing "s") ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-10 11:18 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635
------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-10 21:18
-------
No way ...
$ ./ssh -o PreferredAuthentications=gssapi -p 8888
Usage: ssh [options] host [command]
Options:
-l user Log in using this user name.
-n Redirect input from /dev/null.
-F config Config file (default: ~/.ssh/config).
-A Enable authentication agent forwarding.
-a Disable authentication agent forwarding (default).
-X Enable X11 connection forwarding.
-x Disable X11 connection forwarding (default).
-i file Identity for public key authentication (default: ~/.ssh/identity)
-t Tty; allocate a tty even if command is given.
-T Do not allocate a tty.
-v Verbose; display verbose debugging messages.
Multiple -v increases verbosity.
[cut]
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-12 09:03 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From dtucker at zip.com.au 2003-09-12 19:03 ------- Could you please elaborate on "No way.."? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-12 09:37 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From markus at openbsd.org 2003-09-12 19:37 ------- $ ./ssh -o PreferredAuthentications=gssapi -p 8888 Usage: ssh [options] host [command] ^^^^^ the command line is missing the hostname. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-15 16:19 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-16 02:19 ------- It seems my response did not make it into bugzilla .... :( Here's the output from the binary made on Sep 10. # ./ssh -o PreferredAuthentications=gssapi -p 8888 -v -v -v 127.0.0.1 OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 127.0.0.1 [127.0.0.1] port 8888. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7p1 debug1: match: OpenSSH_3.7p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 119/256 debug2: bits set: 1625/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug3: check_host_in_hostfile: match line 15 debug1: Host '127.0.0.1' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:15 debug2: bits set: 1574/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/identity (0) debug2: key: /.ssh/id_rsa (0) debug2: key: /.ssh/id_dsa (0) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred gssapi debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). debug1: Calling cleanup 0x12006fab0(0x0) # ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-16 01:41 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From dtucker at zip.com.au 2003-09-16 11:41 ------- This bit from the debug "debug1: Authentications that can continue: publickey,password,keyboard-interactive", looks like GSSAPI is not enabled on the server side. Do you have "GSSAPIAuthentication yes" in the server's config? It defaults to "no".>From "make sshd_config":GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. The default is ``no''. Note that this option applies to protocol version 2 only. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-16 09:33 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-16 19:33 ------- I decided to reinstall heimdal and openssh again, both with latest snapshots. With openssh-SNAP-20030916.tar.gz I see: $ ./configure --prefix=/usr/local --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --with-prngd-socket=/var/run/egd-pool --with-default-path=/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/afs/bin:/software/@sys/usr/openssl/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/sbin:/usr/sbin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin --with-xauth=/usr/bin/X11/xauth --with-zlib --with-osfsia --with-login=/usr/bin/login --with-privsep --with-afs=/usr/afsws --with-kerberos5=/usr/heimdal $make [...] $ cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5 -ldes -lcom_err -lasn1 -lroken ld: Can't locate file for: -ldes make: *** [ssh] Error 1 $ cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5 -lcom_err -lasn1 -lroken $ So I see configure still tries to guess which libraries are needed for KerberosV. sshd has to be linked with -lcrypto as the very last, not like currently set: cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -Lyes -L/usr/heimdal/lib -lssh -lopenbsd-compat -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5 -lcom_err -lasn1 -lroken ld: Unresolved: DES_cbc_cksum DES_cbc_encrypt DES_pcbc_encrypt RAND_write_file RAND_file_name UI_UTIL_read_pw_string make: *** [sshd] Error 1 Running "make test" gives: ssh-keygen -if /usr/local/scratch/openssh/regress/dsa_ssh2.pub > /usr/local/scratch/openssh/regress//t6.out2 chmod 600 /usr/local/scratch/openssh/regress//t6.out1 ssh-keygen -yf /usr/local/scratch/openssh/regress//t6.out1 | diff - /usr/local/scratch/openssh/regress//t6.out2 ssh-keygen -q -t rsa -N '' -f /usr/local/scratch/openssh/regress//t7.out ssh-keygen -lf /usr/local/scratch/openssh/regress//t7.out > /dev/null ssh-keygen -Bf /usr/local/scratch/openssh/regress//t7.out > /dev/null run test connect.sh ... Connection closed by 127.0.0.1 ssh connect with protocol 1 failed Connection closed by 127.0.0.1 ssh connect with protocol 2 failed failed simple connect make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/usr/local/scratch/openssh/regress' make: *** [tests] Error 2 I've deleted ssh*config files and edited those newly installed version again. Could you please improve the comments in shhd_config template so that it clear that "Kerberos options" refer to kerberosIV only and that "GSSAPI options" refers only to kerberosV? ;) # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes And, I tried to start sshd but get: # ./sshd -p 8888 /usr/local/etc/sshd_config line 66: Unsupported option GSSAPIAuthentication /usr/local/etc/sshd_config line 67: Unsupported option GSSAPICleanupCreds # ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-16 09:39 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635
------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-16 19:39
-------
I forgt to include how openssh-SNAP-20030916 got configured
checking whether we are using Heimdal... yes
checking for library containing dn_expand... none required
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... no
configure: WARNING: Cannot find any suitable gss-api library - build may fail
checking for gssapi.h... yes
checking for gssapi_krb5.h... no
config.h contains:
/* Define this is you want GSSAPI support in the version 2 protocol */
/* #undef GSSAPI */
/* Define if you want Kerberos 5 support */
#define KRB5 1
/* Define this if you are using the Heimdal version of Kerberos V5 */
#define HEIMDAL 1
/* Define if you want S/Key support */
/* #undef SKEY */
/* Define if you want TCP Wrappers support */
#define LIBWRAP 1
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/afs/bin:/software/@sys/usr/openssl/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/sbin:/usr/sbin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
Manpage format: man
DNS support: no
PAM support: no
KerberosV support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: no
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: alphaev67-dec-osf5.1
Compiler: cc
Compiler flags: -O2 -arch ev56
Preprocessor flags: -I/software/@sys/usr/openssl/include -Iyes
-I/software/@sys/usr/include -I/usr/local/include -I/usr/local/openssl/include
-I/usr/heimdal/include
Linker flags: -L/software/@sys/usr/openssl/lib -Lyes -L/usr/heimdal/lib
Libraries: -lwrap -lrt -lz -L/usr/local/lib -L/software/@sys/usr/lib
-L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -lkrb5
-ldes -lcom_err -lasn1 -lroken
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-16 09:49 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-16 19:49 ------- So I've defined GSSAPI in config.h. To get things compiled, I had to put -lgssapi in fron of -lkrb5 and again put -lcrypto at the end of linker commadline. Then, I get: serow# ./ssh -o PreferredAuthentications=gssapi -p 8888 -v -v -v serow -1 OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to serow [146.107.217.72] port 8888. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7p1 debug1: match: OpenSSH_3.7p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.7p1 debug1: Waiting for server public key. Connection closed by 146.107.217.72 debug1: Calling cleanup 0x1200708d0(0x0) serow# ./ssh -o PreferredAuthentications=gssapi -p 8888 -v -v -v serow OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to serow [146.107.217.72] port 8888. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7p1 debug1: match: OpenSSH_3.7p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7p1 debug1: SSH2_MSG_KEXINIT sent Connection closed by 146.107.217.72 debug1: Calling cleanup 0x1200708d0(0x0) serow# I guess the server crashes somewhere. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-17 19:13 UTC
[Bug 635] openssh-SNAP-20030903: configure does not work well with heimdal(krb5)
http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-09-18 05:13 ------- I had to edit config.h to get it working with password authentication by setting these manually(the first 3 are platform specific - already in another bugreport, the last is a bug reported here): /* Define if your platform breaks doing a seteuid before a setuid */ #define SETEUID_BREAKS_SETUID /* Define if your setreuid() is broken */ #define BROKEN_SETREUID /* Define if your setregid() is broken */ #define BROKEN_SETREGID /* Define this is you want GSSAPI support in the version 2 protocol */ #define GSSAPI Unfortunately, the GSSAPI bug is still present. To summarize, I have set two GSS* options in sshd_config, I have compiled with heimdal, defined GSSAPI on config.h. Then, I get: $ ssh -o PreferredAuthentications=gssapi -v -v -v -l mokrejs -p 443 serow OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug2: ssh_connect: needpriv 0 debug1: Connecting to serow [146.107.217.72] port 443. debug1: Connection established. debug1: identity file /home/mokrejs/.ssh/identity type 0 debug1: identity file /home/mokrejs/.ssh/id_rsa type 0 debug3: Not a RSA1 key file /home/mokrejs/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/mokrejs/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p1 debug1: match: OpenSSH_3.7.1p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 135/256 debug2: bits set: 1613/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mokrejs/.ssh/known_hosts debug3: check_host_in_hostfile: match line 24 debug3: check_host_in_hostfile: filename /home/mokrejs/.ssh/known_hosts debug3: check_host_in_hostfile: match line 24 debug1: Host 'serow' is known and matches the RSA host key. debug1: Found key in /home/mokrejs/.ssh/known_hosts:24 debug2: bits set: 1585/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi,password,keyboard-interactive debug3: preferred gssapi debug3: authmethod_lookup gssapi debug3: remaining preferred: debug2: Unrecognized authentication method name: gssapi debug1: No more authentication methods to try. Permission denied (publickey,gssapi,password,keyboard-interactive). debug1: Calling cleanup 0x8062440(0x0) $ # ./sshd -p 443 -D -d -d -d -d debug2: read_server_config: filename /usr/local/etc/sshd_config debug1: sshd version OpenSSH_3.7.1p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 443 on 0.0.0.0. Server listening on 0.0.0.0 port 443. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 146.107.217.207 port 34118 debug1: Client protocol version 2.0; client software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.7.1p1 debug2: Network child is on pid 40616 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 15:22 debug1: permanently_set_uid: 15/22 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 146/256 debug2: bits set: 1585/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1613/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 14005b0e0(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user mokrejs service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for mokrejs debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: Trying to reverse map address 146.107.217.207. debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for mokrejs from 146.107.217.207 port 34118 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for mokrejs from 146.107.217.207 port 34118 ssh2 Connection closed by 146.107.217.207 debug1: Calling cleanup 0x120082de0(0x0) # ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.