From nobody@FreeBSD.ORG  Wed Aug  9 07:18:17 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 266F737BD9E; Wed,  9 Aug 2000 07:18:17 -0700 (PDT)
Message-Id: <20000809141817.266F737BD9E@hub.freebsd.org>
Date: Wed,  9 Aug 2000 07:18:17 -0700 (PDT)
From: Mark.Andrews@nominum.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5
X-Send-Pr-Version: www-1.0

>Number:         20504
>Category:       misc
>Synopsis:       [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    assar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 09 07:20:01 PDT 2000
>Closed-Date:    Tue Mar 6 09:23:38 PST 2001
>Last-Modified:  Tue Mar  6 09:30:01 PST 2001
>Originator:     Mark Andrews
>Release:        4.1 STABLE
>Organization:
Nominum
>Environment:
FreeBSD drugs.dv.isc.org 4.1-STABLE FreeBSD 4.1-STABLE #0: Tue Aug  8 18:01:02 EST 2000     marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS  i386

>Description:
openssh and ssh.com disagree about which protocol values should be
used w/ kerberos5.

The patch below allows ssh from openssh to connect to sshd from
ssh.com.
>How-To-Repeat:
Find a site running a sshd from ssh.com and try to connect to it with
ssh (openssh) compiled w/ kerberos5. 

/etc/make.conf
MAKE_KERBEROS5= yes

apply fixes in misc/20502 and misc/18995

~/.ssh/config
kerberos5authentication yes
kerberos5tgtpassing yes

>Fix:
ZGlmZiAtdXIgY3J5cHRvL29wZW5zc2gvcmVhZGNvbmYuYyBjcnlwdG8vb3BlbnNzaC9yZWFk
Y29uZi5jCi0tLSBjcnlwdG8vb3BlbnNzaC9yZWFkY29uZi5jCU1vbiBKdWwgMzEgMTc6NDc6
MzcgMjAwMAorKysgY3J5cHRvL29wZW5zc2gvcmVhZGNvbmYuYwlXZWQgQXVnICA5IDIyOjUx
OjA5IDIwMDAKQEAgLTk4LDcgKzk4LDcgQEAKIAlvS3JiNEF1dGhlbnRpY2F0aW9uLAogI2Vu
ZGlmIC8qIEtSQjQgKi8KICNpZmRlZiBLUkI1Ci0Jb0tyYjVBdXRoZW50aWNhdGlvbiwgb0ty
YjVUZ3RQYXNzaW5nLAorCW9LcmI1QXV0aGVudGljYXRpb24sIG9LcmI1VGd0UGFzc2luZywg
b0tyYjVPdmVyS3JiNCwKICNlbmRpZiAvKiBLUkI1ICovCiAjaWZkZWYgQUZTCiAJb0tyYjRU
Z3RQYXNzaW5nLCBvQUZTVG9rZW5QYXNzaW5nLApAQCAtMTMzLDYgKzEzMyw3IEBACiAjaWZk
ZWYgS1JCNQogCXsgImtlcmJlcm9zNWF1dGhlbnRpY2F0aW9uIiwgb0tyYjVBdXRoZW50aWNh
dGlvbiB9LAogCXsgImtlcmJlcm9zNXRndHBhc3NpbmciLCBvS3JiNVRndFBhc3NpbmcgfSwK
Kwl7ICJrZXJiZXJvczVvdmVya2VyYmVyb3M0Iiwgb0tyYjVPdmVyS3JiNCB9LAogI2VuZGlm
IC8qIEtSQjUgKi8KICNpZmRlZiBBRlMKIAl7ICJrZXJiZXJvczR0Z3RwYXNzaW5nIiwgb0ty
YjRUZ3RQYXNzaW5nIH0sCkBAIC0zMzEsNiArMzMyLDEwIEBACiAJY2FzZSBvS3JiNVRndFBh
c3Npbmc6CiAJCWludHB0ciA9ICZvcHRpb25zLT5rcmI1X3RndF9wYXNzaW5nOwogCQlnb3Rv
IHBhcnNlX2ZsYWc7CisKKwljYXNlIG9LcmI1T3ZlcktyYjQ6CisJCWludHB0ciA9ICZvcHRp
b25zLT5rcmI1X292ZXJfa3JiNDsKKwkJZ290byBwYXJzZV9mbGFnOwogI2VuZGlmIC8qIEtS
QjUgKi8KIAogI2lmZGVmIEFGUwpAQCAtNjc0LDYgKzY3OSw3IEBACiAjaWZkZWYgS1JCNQog
CW9wdGlvbnMtPmtyYjVfYXV0aGVudGljYXRpb24gPSAtMTsKIAlvcHRpb25zLT5rcmI1X3Rn
dF9wYXNzaW5nID0gLTE7CisJb3B0aW9ucy0+a3JiNV9vdmVyX2tyYjQgPSAtMTsKICNlbmRp
ZiAvKiBLUkI1ICovCiAjaWZkZWYgQUZTCiAJb3B0aW9ucy0+a3JiNF90Z3RfcGFzc2luZyA9
IC0xOwpAQCAtNzQzLDYgKzc0OSw4IEBACiAJCW9wdGlvbnMtPmtyYjVfYXV0aGVudGljYXRp
b24gPSAxOwogCWlmIChvcHRpb25zLT5rcmI1X3RndF9wYXNzaW5nID09IC0xKQogCQlvcHRp
b25zLT5rcmI1X3RndF9wYXNzaW5nID0gMTsKKwlpZiAob3B0aW9ucy0+a3JiNV9vdmVyX2ty
YjQgPT0gLTEpCisJCW9wdGlvbnMtPmtyYjVfb3Zlcl9rcmI0ID0gMDsKICNlbmRpZiAvKiBL
UkI1ICovCiAjaWZkZWYgQUZTCiAJaWYgKG9wdGlvbnMtPmtyYjRfdGd0X3Bhc3NpbmcgPT0g
LTEpCmRpZmYgLXVyIGNyeXB0by9vcGVuc3NoL3JlYWRjb25mLmggY3J5cHRvL29wZW5zc2gv
cmVhZGNvbmYuaAotLS0gY3J5cHRvL29wZW5zc2gvcmVhZGNvbmYuaAlGcmkgSnVuICA5IDE3
OjEwOjIwIDIwMDAKKysrIGNyeXB0by9vcGVuc3NoL3JlYWRjb25mLmgJV2VkIEF1ZyAgOSAy
Mjo0Mzo0MCAyMDAwCkBAIC00Nyw2ICs0Nyw3IEBACiAjaWZkZWYgS1JCNQogCWludAlrcmI1
X2F1dGhlbnRpY2F0aW9uOwogCWludAlrcmI1X3RndF9wYXNzaW5nOworCWludAlrcmI1X292
ZXJfa3JiNDsKICNlbmRpZiAvKiBLUkI1ICovCiAKICNpZmRlZiBBRlMKZGlmZiAtdXIgY3J5
cHRvL29wZW5zc2gvc3NoY29ubmVjdC5jIGNyeXB0by9vcGVuc3NoL3NzaGNvbm5lY3QuYwot
LS0gY3J5cHRvL29wZW5zc2gvc3NoY29ubmVjdC5jCUZyaSBKdW4gIDkgMTc6MTA6MjEgMjAw
MAorKysgY3J5cHRvL29wZW5zc2gvc3NoY29ubmVjdC5jCVdlZCBBdWcgIDkgMjM6MDE6MDEg
MjAwMApAQCAtNzI0LDcgKzcyNCw4IEBACiAgICAgIGdvdG8gb3V0OwogICB9CiAgIAotICBw
YWNrZXRfc3RhcnQoU1NIX0NNU0dfQVVUSF9LUkI1KTsKKyAgcGFja2V0X3N0YXJ0KG9wdGlv
bnMua3JiNV9vdmVyX2tyYjQgPworCSAgICAgICBTU0hfQ01TR19BVVRIX0tSQjQgOiBTU0hf
Q01TR19BVVRIX0tSQjUpOwogICBwYWNrZXRfcHV0X3N0cmluZygoY2hhciAqKSBhcC5kYXRh
LCBhcC5sZW5ndGgpOwogICBwYWNrZXRfc2VuZCgpOwogICBwYWNrZXRfd3JpdGVfd2FpdCgp
OwpAQCAtNzQwLDYgKzc0MSwxMSBAQAogICAgICAgICAgICAgICAgIHJldCA9IDA7CiAgICAg
ICAgICAgICAgICAgYnJlYWs7CiAKKyAgICAgICAgIGNhc2UgU1NIX1NNU0dfQVVUSF9LUkI0
X1JFU1BPTlNFOgorCQlpZiAoIW9wdGlvbnMua3JiNV9vdmVyX2tyYjQpCisJCQlnb3RvIGZh
aWw7CisJCS8qRkFMTFRIUk9VR0gqLworCiAgICAgICAgICBjYXNlIFNTSF9TTVNHX0FVVEhf
S1JCNV9SRVNQT05TRToKICAgICAgICAgICAgICAgICAvKiBTU0hfU01TR19BVVRIX0tSQjVf
U1VDQ0VTUyAqLwogICAgICAgICAgICAgICAgIGRlYnVnKCJLZXJiZXJvcyBWNSBhdXRoZW50
aWNhdGlvbiBhY2NlcHRlZC4iKTsKQEAgLTc1OCw2ICs3NjQsNyBAQAogCQlicmVhazsKIAkK
IAlkZWZhdWx0OgorCWZhaWw6CiAJCXBhY2tldF9kaXNjb25uZWN0KCJQcm90b2NvbCBlcnJv
ciBvbiBLZXJiZXJvcyBWNSByZXNwb25zZTogJWQiLCB0eXBlKTsKIAkJcmV0ID0gMDsgCiAJ
CWJyZWFrOwpAQCAtODUyLDcgKzg1OSw4IEBACiAgICAgIGdvdG8gb3V0OwogICB9CiAgIAot
ICBwYWNrZXRfc3RhcnQoU1NIX0NNU0dfSEFWRV9LUkI1X1RHVCk7CisgIHBhY2tldF9zdGFy
dChvcHRpb25zLmtyYjVfb3Zlcl9rcmI0ID8KKwkgICAgICAgU1NIX0NNU0dfSEFWRV9LUkI0
X1RHVCA6IFNTSF9DTVNHX0hBVkVfS1JCNV9UR1QpOwogICBwYWNrZXRfcHV0X3N0cmluZygo
Y2hhciAqKW91dGJ1Zi5kYXRhLCBvdXRidWYubGVuZ3RoKTsKICAgcGFja2V0X3NlbmQoKTsK
ICAgcGFja2V0X3dyaXRlX3dhaXQoKTsKZGlmZiAtdXIgY3J5cHRvL29wZW5zc2gvc3NoY29u
bmVjdDEuYyBjcnlwdG8vb3BlbnNzaC9zc2hjb25uZWN0MS5jCi0tLSBjcnlwdG8vb3BlbnNz
aC9zc2hjb25uZWN0MS5jCUZyaSBKdW4gIDkgMTc6MTA6MjEgMjAwMAorKysgY3J5cHRvL29w
ZW5zc2gvc3NoY29ubmVjdDEuYwlXZWQgQXVnICA5IDIzOjA1OjIyIDIwMDAKQEAgLTk1OSw3
ICs5NTksOSBAQAogI2VuZGlmIC8qIEtSQjQgKi8KIAogI2lmZGVmIEtSQjUKLQlpZiAoKHN1
cHBvcnRlZF9hdXRoZW50aWNhdGlvbnMgJiAoMSA8PCBTU0hfQVVUSF9LUkI1KSkgJiYKKwlp
ZiAoKChzdXBwb3J0ZWRfYXV0aGVudGljYXRpb25zICYgKDEgPDwgU1NIX0FVVEhfS1JCNSkp
IHx8CisJICAgICAoKHN1cHBvcnRlZF9hdXRoZW50aWNhdGlvbnMgJiAoMSA8PCBTU0hfQVVU
SF9LUkI0KSkgJiYKKwkgICAgICBvcHRpb25zLmtyYjVfb3Zlcl9rcmI0KSkgJiYKIAkgICAg
IG9wdGlvbnMua3JiNV9hdXRoZW50aWNhdGlvbil7CiAJCWtyYjVfY29udGV4dCBzc2hfY29u
dGV4dCA9IE5VTEw7CiAJCWtyYjVfYXV0aF9jb250ZXh0IGF1dGhfY29udGV4dCA9IE5VTEw7
Cg==


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->assar 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Aug 10 03:13:33 PDT 2000 
Responsible-Changed-Why:  
Assar's looking at getting OpenSSH + Heimdal working nicely. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20504 
State-Changed-From-To: open->feedback 
State-Changed-By: assar 
State-Changed-When: Sat Mar 3 18:25:20 PST 2001 
State-Changed-Why:  
code has been comitted to do this and mail sent to the originator of 
the PR asking him to test it 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20504 

From: assar@FreeBSD.org
To: Mark.Andrews@nominum.com, freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/20504: [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5
Date: 04 Mar 2001 03:24:45 +0100

 Code for this has been added to -current, done somewhat differently
 from your patch.  Could you verify that it works for you too?  Thanks.
 
 /assar

From: Mark.Andrews@nominum.com
To: assar@FreeBSD.org
Cc: Mark.Andrews@nominum.com, freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/20504: [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5 
Date: Sun, 04 Mar 2001 18:02:11 +1100

 > Code for this has been added to -current, done somewhat differently
 > from your patch.  Could you verify that it works for you too?  Thanks.
 > 
 > /assar
 
 	It looks like the code that was commited addresses the
 	server side of the issue.  It does not address the case
 	where OpenSSH is the client which is what my patch addresses.
 
 	Note 1 I have only got krb5 installed, no krb4 at all.
 
 	Note 2 supported_authentications is only tested for
 	SSH_AUTH_KRB5 in the cvs repository and that bit is NOT
 	set by the Secure Shell sshd which sets only SSH_AUTH_KRB4
 	(or as it sees it SSH_AUTH_KERBEROS).
 
 	Mark
 
 Unpatched:
 
 /usr/obj/usr/src/secure/usr.bin/ssh/ssh -v bb.rc.vix.com
 SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 debug: Reading configuration data /usr/home/marka/.ssh/config
 debug: Applying options for *.vix.com
 debug: Applying options for *
 debug: Reading configuration data /etc/ssh/ssh_config
 debug: Applying options for *
 debug: ssh_connect: getuid 1001 geteuid 1001 anon 1
 debug: Connecting to bb.rc.vix.com [204.152.187.11] port 22.
 debug: Connection established.
 debug: Remote protocol version 1.99, remote software version 2.4.0 SSH Secure Shell (non-commercial)
 debug: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\.
 
 debug: Local version string SSH-1.5-OpenSSH_2.3.0
 debug: Waiting for server public key.
 debug: Received server public key (768 bits) and host key (1024 bits).
 debug: Host 'bb.rc.vix.com' is known and matches the RSA host key.
 debug: Encryption type: 3des
 debug: Sent encrypted session key.
 debug: Installing crc compensation attack detector.
 debug: Received encrypted confirmation.
 debug: Doing password authentication.
 marka@bb.rc.vix.com's password: 
 drugs:src {3086} % 
 
 Patched 
 
 ssh -v bb.rc.vix.com
 SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 debug: Reading configuration data /usr/home/marka/.ssh/config
 debug: Applying options for *.vix.com
 debug: Applying options for *
 debug: Reading configuration data /etc/ssh/ssh_config
 debug: Applying options for *
 debug: ssh_connect: getuid 1001 geteuid 1001 anon 1
 debug: Connecting to bb.rc.vix.com [204.152.187.11] port 22.
 debug: Connection established.
 debug: Remote protocol version 1.99, remote software version 2.4.0 SSH Secure Shell (non-commercial)
 debug: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\.
 
 debug: Local version string SSH-1.5-OpenSSH_2.3.0
 debug: Waiting for server public key.
 debug: Received server public key (768 bits) and host key (1024 bits).
 debug: Host 'bb.rc.vix.com' is known and matches the RSA host key.
 debug: Encryption type: 3des
 debug: Sent encrypted session key.
 debug: Installing crc compensation attack detector.
 debug: Received encrypted confirmation.
 debug: Trying Kerberos V5 authentication.
 debug: Kerberos V5 authentication accepted.
 debug: Requesting pty.
 debug: Requesting X11 forwarding with authentication spoofing.
 debug: Requesting shell.
 debug: Entering interactive session.
 Last login: Thu Mar  1 21:58:41 2001 from drugs.dv.isc.org
 BSDI BSD/OS 3.1 Kernel #4: Thu Oct 16 16:16:52 MDT 1997
 
 ** Nominum staff mail has been moved from bb to shell.nominum.com **
 
 1 bb <marka> % 
 
 
 	Mark
 --
 Mark Andrews, Nominum Inc.
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@nominum.com

From: assar@FreeBSD.org
To: Mark.Andrews@nominum.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/20504: [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5
Date: 05 Mar 2001 14:13:02 +0100

 Mark.Andrews@nominum.com writes:
 > 	It looks like the code that was commited addresses the
 > 	server side of the issue.  It does not address the case
 > 	where OpenSSH is the client which is what my patch addresses.
 
 Weird, I did try that and it worked for me.
 
 > 	Note 1 I have only got krb5 installed, no krb4 at all.
 
 My testing has been with both krb4 and krb5.
 
 > 	Note 2 supported_authentications is only tested for
 > 	SSH_AUTH_KRB5 in the cvs repository and that bit is NOT
 > 	set by the Secure Shell sshd which sets only SSH_AUTH_KRB4
 > 	(or as it sees it SSH_AUTH_KERBEROS).
 
 There's only a SSH_AUTH_KERBEROS now.
 
 I'll re-build with only krb5 and test against the Finnish sshd again.
 
 /assar

From: Mark.Andrews@nominum.com
To: assar@FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/20504: [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5 
Date: Tue, 06 Mar 2001 10:00:46 +1100

 	I just ran "cvs update" again.  This time there was the following
 	changes.  Note the auth-krb5.c is for heimdal 0.3e.  This set of
 	changes appears to work.
 
 	Thanks
 	Mark
 
 P auth-krb4.c
 RCS file: /home/ncvs/src/crypto/openssh/auth-krb5.c,v
 retrieving revision 1.2.2.2
 retrieving revision 1.2.2.3
 Merging differences between 1.2.2.2 and 1.2.2.3 into auth-krb5.c
 M auth-krb5.c
 P auth-passwd.c
 P auth1.c
 P auth2.c
 P readconf.c
 P readconf.h
 P servconf.c
 P servconf.h
 P ssh.h
 P sshconnect.c
 P sshconnect1.c
 P sshd.c
 
 > Mark.Andrews@nominum.com writes:
 > > 	It looks like the code that was commited addresses the
 > > 	server side of the issue.  It does not address the case
 > > 	where OpenSSH is the client which is what my patch addresses.
 > 
 > Weird, I did try that and it worked for me.
 > 
 > > 	Note 1 I have only got krb5 installed, no krb4 at all.
 > 
 > My testing has been with both krb4 and krb5.
 > 
 > > 	Note 2 supported_authentications is only tested for
 > > 	SSH_AUTH_KRB5 in the cvs repository and that bit is NOT
 > > 	set by the Secure Shell sshd which sets only SSH_AUTH_KRB4
 > > 	(or as it sees it SSH_AUTH_KERBEROS).
 > 
 > There's only a SSH_AUTH_KERBEROS now.
 > 
 > I'll re-build with only krb5 and test against the Finnish sshd again.
 > 
 > /assar
 --
 Mark Andrews, Nominum Inc.
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@nominum.com
State-Changed-From-To: feedback->closed 
State-Changed-By: assar 
State-Changed-When: Tue Mar 6 09:23:38 PST 2001 
State-Changed-Why:  
submitter says it works for him now 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20504 

From: assar@FreeBSD.org
To: Mark.Andrews@nominum.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/20504: [PATCH] ssh (openssh) cannot connect to sshd (ssh.com) using kerberos5
Date: 06 Mar 2001 18:23:24 +0100

 Mark.Andrews@nominum.com writes:
 > 	I just ran "cvs update" again.  This time there was the following
 > 	changes.  Note the auth-krb5.c is for heimdal 0.3e.  This set of
 > 	changes appears to work.
 
 Aha, ok.  It might have been that not everything was merged into
 stable at that time.  I did my testing with -current (which I should
 have mentioned).  Thanks for your feedback and do tell me if you have
 any more problem with this.
 
 /assar
>Unformatted:
