From nobody@FreeBSD.ORG  Thu Oct  5 07:09:13 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id BF2F837B503; Thu,  5 Oct 2000 07:09:13 -0700 (PDT)
Message-Id: <20001005140913.BF2F837B503@hub.freebsd.org>
Date: Thu,  5 Oct 2000 07:09:13 -0700 (PDT)
From: B.Candler@pobox.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: sample sshd_config errors for kerberos
X-Send-Pr-Version: www-1.0

>Number:         21767
>Category:       docs
>Synopsis:       sample sshd_config errors for kerberos
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 05 07:10:00 PDT 2000
>Closed-Date:    Mon Jul 29 03:49:51 PDT 2002
>Last-Modified:  Tue Jul 30 15:10:01 PDT 2002
>Originator:     Brian Candler
>Release:        4.1.1
>Organization:
>Environment:
>Description:
The supplied sample /etc/ssh/sshd_config has the line
#KerberosAuthentication no
This should read
#Kerberos5Authentication no

Same applies to "Kerberos[5]TgtPassing".

The other Kerberos options (KerberosOrLocalPasswd, AFSTokenPassing,
KerberosTicketCleanup) appear to be completely spurious.
>How-To-Repeat:
Uncomment 'KerberosAuthentication no', restart sshd, and watch it barf
>Fix:
See above

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->kris 
Responsible-Changed-By: nik 
Responsible-Changed-When: Sat Oct 28 15:48:32 PDT 2000 
Responsible-Changed-Why:  
Kris (in #bsdcode) thinks there's a problem, but that the suggested fix  
isn't right.  He's much more knowledgable in these affairs than I am, so 
he gets to play with the PR :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21767 
Responsible-Changed-From-To: kris->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Nov 12 18:27:41 PST 2000 
Responsible-Changed-Why:  
Green is taking over OpenSSH 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21767 

From: Jon <cykyc@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: docs/21767: sample sshd_config errors for kerberos
Date: Thu, 4 Apr 2002 20:56:04 -0800 (PST)

 Hello,
 
 FreeBSD novaV2 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Tue Feb 12
 15:18:54 CST 2002     root@novaV2:/usr/obj/usr/src/sys/NOVAV2  i386
 
 I'm noticing problems similar to PR docs/21767, where the
 sshd_config doesn't like having KerberosAuthentication to no (or
 any of the other Keberos options uncommented, such as
 AFSTokenPassing no).  The fix mentioned did not work w/ my setup
 (no other changes made in sshd_config).  I don't have any source on
 the system, and sshd hasn't been patched, either.
 
 Jon
 
 
 
 __________________________________________________
 Do You Yahoo!?
 Yahoo! Tax Center - online filing with TurboTax
 http://taxes.yahoo.com/
State-Changed-From-To: open->closed 
State-Changed-By: chern 
State-Changed-When: Mon Jul 29 03:48:23 PDT 2002 
State-Changed-Why:  
MAKE_KERBEROS4=        yes 
MAKE_KERBEROS5=        yes 

must be defined in your /etc/make.conf and sshd recompiled to use any of 
sshd's kerberos features.  If not, these options are purposely left out; 
this is why they are commented it out and not set to 'no' in sshd_config. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=21767 

From: Brian Candler <B.Candler@pobox.com>
To: Chern Lee <chern@FreeBSD.org>
Cc: green@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org
Subject: Re: docs/21767: sample sshd_config errors for kerberos
Date: Tue, 30 Jul 2002 21:49:05 +0100

 On Mon, Jul 29, 2002 at 03:49:50AM -0700, Chern Lee wrote:
 > Synopsis: sample sshd_config errors for kerberos
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: chern
 > State-Changed-When: Mon Jul 29 03:48:23 PDT 2002
 > State-Changed-Why: 
 > MAKE_KERBEROS4=        yes
 > MAKE_KERBEROS5=        yes
 > 
 > must be defined in your /etc/make.conf and sshd recompiled to use any of
 > sshd's kerberos features.  If not, these options are purposely left out;
 > this is why they are commented it out and not set to 'no' in sshd_config.
 
 Admittedly this PR is partially stale now, but I think the underlying point
 still stands: it is not that the commands are commented out in sshd_config,
 but that the _wrong_ commands are commented out.
 
 On a FreeBSD-4.6-RELEASE system:
 
 $ grep -i kerberos /etc/ssh/sshd_config 
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup no
 #KerberosTgtPassing yes               <<<
 
 But looking at /usr/src/crypto/openssh/servconf.c the correct options are:
         { "kerberosauthentication", sKerberosAuthentication },
         { "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
         { "kerberos4ticketcleanup", sKrb4TicketCleanup },
         { "kerberos5tgtpassing", sKrb5TgtPassing },
         { "kerberos4tgtpassing", sKrb4TgtPassing },
 
 which apart from "KerberosAuthentication" are all different to the
 commented-out examples in sshd_config.
 
 Regards,
 
 Brian Candler.

From: Chern Lee <chern@FreeBSD.org>
To: Brian Candler <B.Candler@pobox.com>
Cc: <green@FreeBSD.org>, <freebsd-gnats-submit@FreeBSD.org>
Subject: Re: docs/21767: sample sshd_config errors for kerberos
Date: Tue, 30 Jul 2002 14:08:12 -0700 (PDT)

 FreeBSD 4.6-RELEASE had OpenSSH 2.9.  OpenSSH 3.4p1 was put into STABLE on
 July 4th.  The problem as mentioned does not exist as mentioned,
 kerberos(5|4), is no longer around.
 
 - chern
 
 From STABLE as of 7/19:
 
 #if defined(KRB4) || defined(KRB5)
         { "kerberosauthentication", sKerberosAuthentication },
         { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
         { "kerberosticketcleanup", sKerberosTicketCleanup },
 #endif
 #if defined(AFS) || defined(KRB5)
         { "kerberostgtpassing", sKerberosTgtPassing },
 
 
 On Tue, 30 Jul 2002, Brian Candler wrote:
 
 > On Mon, Jul 29, 2002 at 03:49:50AM -0700, Chern Lee wrote:
 > > Synopsis: sample sshd_config errors for kerberos
 > >
 > > State-Changed-From-To: open->closed
 > > State-Changed-By: chern
 > > State-Changed-When: Mon Jul 29 03:48:23 PDT 2002
 > > State-Changed-Why:
 > > MAKE_KERBEROS4=        yes
 > > MAKE_KERBEROS5=        yes
 > >
 > > must be defined in your /etc/make.conf and sshd recompiled to use any of
 > > sshd's kerberos features.  If not, these options are purposely left out;
 > > this is why they are commented it out and not set to 'no' in sshd_config.
 >
 > Admittedly this PR is partially stale now, but I think the underlying point
 > still stands: it is not that the commands are commented out in sshd_config,
 > but that the _wrong_ commands are commented out.
 >
 > On a FreeBSD-4.6-RELEASE system:
 >
 > $ grep -i kerberos /etc/ssh/sshd_config
 > #KerberosAuthentication no
 > #KerberosOrLocalPasswd yes
 > #KerberosTicketCleanup no
 > #KerberosTgtPassing yes               <<<
 >
 > But looking at /usr/src/crypto/openssh/servconf.c the correct options are:
 >         { "kerberosauthentication", sKerberosAuthentication },
 >         { "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
 >         { "kerberos4ticketcleanup", sKrb4TicketCleanup },
 >         { "kerberos5tgtpassing", sKrb5TgtPassing },
 >         { "kerberos4tgtpassing", sKrb4TgtPassing },
 >
 > which apart from "KerberosAuthentication" are all different to the
 > commented-out examples in sshd_config.
 >
 > Regards,
 >
 > Brian Candler.
 >
 
 
 
>Unformatted:
