OpenSSH with kth-Kerberos from David Komanek on 2001-03-21 (tru64-unix-managers)

From: David Komanek <xdavid_at_aragorn.natur.cuni.cz>
Date: Wed, 21 Mar 2001 10:43:34 +0100 (MET)

Dear administrators,

did you managed to run OpenSSH with kth-krb ver. IV ? Please, if you have
some comments to the problem described bellow, say them :-)

Thanks in advance.

Sincerely,

  David Komanek
  Charles University
  Prague
  CZ

When I use

ssh -l username machine

without any Kerberos ticket, I'm normaly prompted for the password and can
successfully log in.

If I issue

  kinit

to get the ticket and then use "ssh", The client ends up wth a core dump:

OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x00906010
debug1: Seeding random number generator
debug1: ssh_connect: getuid 222 geteuid 0 anon 0
debug1: Connecting to xyz [xxx.yyy.zzz.www] port 22.
debug1: Allocated local port 1022.
debug1: Connection established.
debug1: identity file /usr/users/username/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1
debug1: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0
debug1: Local version string SSH-1.5-OpenSSH_2.5.2p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'bbs' is known and matches the RSA1 host key.
debug1: Found key in /usr/users/username/.ssh/known_hosts:2
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Remote: Kerberos V4 tgt accepted
(krbtgt.XXX.YYY.ZZZ_at_XXX.YYY.ZZZ, username_at_XXX.YYY.ZZZ)
debug1: Trying Kerberos authentication.
debug1: Trying to reverse map address xxx.yyy.zzz.www.
Segmentation fault

It faults somewhere in the krb_mk_req() function. The same code in the
kerberos telnet works fine. I noticed this problem only with ssh client
running on tru64, regardless if connecting to daemons on the same or other
platforms. Clients running i.e. on IRIX are working well.

Another problem, probably coupled with: if I connect with the client from
another platform, i.e. IRIX, to the OpenSSH daemon running on Tru64, it
claims "bad principal name (kerberos)" after I get the ticket and try to
connect with. But working against "SSH 1.1.27" or using Kerberos Telnet
works fine, so I don't think this is the Kerberos server problem.

Tested on:

Tru64 4.0D, latest patchkit
OpenSSH both 2.2.3p1, 2.5.2p1 (Kerberos and AFS options used)
kth-krb 1.0.6
OpenSSL 0.9.6
DEC C V5.6-084
Received on Wed Mar 21 2001 - 09:44:46 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:42 NZDT