Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Sam Hartman hartm...@debian.org writes: Hi. At today's release meeting, MIT indicated that they are going to set up an OSX X test environment to reproduce this problem. They will also look into whether we can ignore the PAC and remove it from the authdata if it fails to verify rather than failing the authentication. There was agreement that if we do that we need to insert a trace point in the PAC code so we can know that the PAC is not verified. I have reproduced the bug against Mac OS 10.6 Server. The following patch appears to work (against the trunk; I believe the 1.8 release didn't have tracing support). Sam, does it look reasonable to you? diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 3efe0e4..43d63cc 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -177,6 +177,10 @@ #define TRACE_INIT_CREDS_SERVICE(c, service) \ TRACE(c, (c, Setting initial creds service to {string}, service)) +#define TRACE_MSPAC_DISCARD_NOSVCSIG(c) \ +TRACE(c, (c, Discarding MS PAC due to missing service signature. \ + Apple Open Directory bug?)) + #define TRACE_KT_GET_ENTRY(c, keytab, princ, vno, enctype, err) \ TRACE(c, (c, Retrieving {princ} from {keytab} (vno {int}, \ enctype {etype}) with result: {kerr}, princ, keytab, \ diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 983b4e8..64e0d9f 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -637,8 +637,13 @@ krb5_pac_verify(krb5_context context, return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); -if (ret != 0) +if (ret == ENOENT) { +TRACE_MSPAC_DISCARD_NOSVCSIG(context); +pac-verified = FALSE; +return 0; +} else if (ret != 0) { return ret; +} if (privsvr != NULL) { ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); @@ -977,6 +982,11 @@ mspac_get_attribute(krb5_context kcontext, if (*more != -1 || pacctx-pac == NULL) return ENOENT; +/* If it didn't verify, pretend it didn't exist. */ +if (!pacctx-pac-verified) { +return ENOENT; +} + code = mspac_attr2type(attribute, type); if (code != 0) return code;
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
This patch looks reasonable. I have not confirmed that successfully makes the PAC disappear, but if you've examined the logic there I'm happy to assume it does. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Sam Hartman hartm...@debian.org writes: This patch looks reasonable. I have not confirmed that successfully makes the PAC disappear, but if you've examined the logic there I'm happy to assume it does. On the other hand, we do appear to expose the krb5_pac_verify() interface that is called by the static authdata handler mspac_verify() so I should bump the check up a level to mspac_verify(). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
forwarded 604925 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6839user=guestpass=guest tags 604925 + confirmed upstream fixed-upstream thanks I committed a slightly different fix that avoids breaking the krb5_pac_verify() API. http://src.mit.edu/fisheye/changelog/krb5/?cs=24564 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Processing commands for cont...@bugs.debian.org: forwarded 604925 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6839user=guestpass=guest Bug #604925 [libgssapi-krb5-2] Squeeze krb5 fails to work with Open Directory KDC tickets Set Bug forwarded-to-address to 'http://krbdev.mit.edu/rt/Ticket/Display.html?id=6839user=guestpass=guest'. tags 604925 + confirmed upstream fixed-upstream - moreinfo Bug #604925 [libgssapi-krb5-2] Squeeze krb5 fails to work with Open Directory KDC tickets Added tag(s) upstream, confirmed, and fixed-upstream. Bug #604925 [libgssapi-krb5-2] Squeeze krb5 fails to work with Open Directory KDC tickets Removed tag(s) moreinfo. thanks Stopping processing here. Please contact me if you need assistance. -- 604925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Hi. At today's release meeting, MIT indicated that they are going to set up an OSX X test environment to reproduce this problem. They will also look into whether we can ignore the PAC and remove it from the authdata if it fails to verify rather than failing the authentication. There was agreement that if we do that we need to insert a trace point in the PAC code so we can know that the PAC is not verified. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Package: libgssapi-krb5-2 Version: 1.8.3+dfsg-2 Severity: grave File: /usr/lib/libgssapi_krb5.so.2 My system uses kerberos to authenticate users to ssh. After upgrading a server to squeeze logging in is no longer possible (this could satisfy critical severity). Unfortunately debugging this turned out to be harder than expected, because gssapi is not very precise about what the problem really is. All I can do is post the logs. Logging in from a (lenny) client that could log in to the same system before the upgrade: $ ssh -vvv somemachine ... debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Unspecified GSS failure. Minor code may provide more information Generic error (see e-text) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method ... Of course I also turned on debugging on the server: ... Nov 25 13:43:46 someserver sshd[5661]: Set /proc/self/oom_adj to 0 Nov 25 13:43:46 someserver sshd[5661]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Nov 25 13:43:46 someserver sshd[5661]: debug1: inetd sockets after dupping: 3, 3 Nov 25 13:43:46 someserver sshd[5661]: Connection from 10.0.82.2 port 36317 Nov 25 13:43:46 someserver sshd[5661]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5 Nov 25 13:43:46 someserver sshd[5661]: debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* Nov 25 13:43:46 someserver sshd[5661]: debug1: Enabling compatibility mode for protocol 2.0 Nov 25 13:43:46 someserver sshd[5661]: debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-5+b1 Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: initializing for root Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: setting PAM_RHOST to reverse.dns.of.somemachine Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: setting PAM_TTY to ssh Nov 25 13:43:46 someserver sshd[5661]: Failed none for root from 10.0.82.2 port 36317 ssh2 Nov 25 13:43:46 someserver sshd[5661]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo such file or directory\n Nov 25 13:43:46 someserver sshd[5661]: debug1: Got no client credentials ... The origin of the Unspecified GSS failure. message is src/lib/gssapi/mechglue/g_dsp_status.c which is a generic error handler. The Got no client credentials message originates from sshd itself gss-serv.c in ssh_gssapi_accept_ctx after finding that an error occured. Any other information needed? Do you have any ideas for debugging? Helmut -- System Information: Debian Release: squeeze/sid APT prefers squeeze-volatile APT policy: (500, 'squeeze-volatile'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libgssapi-krb5-2 depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-2common error description library ii libk5crypto31.8.3+dfsg-2 MIT Kerberos runtime libraries - C ii libkeyutils11.4-1Linux Key Management Utilities (li ii libkrb5-3 1.8.3+dfsg-2 MIT Kerberos runtime libraries ii libkrb5support0 1.8.3+dfsg-2 MIT Kerberos runtime libraries - S libgssapi-krb5-2 recommends no packages. Versions of packages libgssapi-krb5-2 suggests: pn krb5-docnone (no description available) ii krb5-user 1.8.3+dfsg-2 Basic programs to authenticate usi -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
tags 604925 moreinfo severity 604925 normal thanks I'm guessing the no such file or directory is probably spurious. What's probably happening is that something in libkrb5 or libgssapi_krb5 is returning -1 in a context where the library belives it is a system call that sets errno. However that's not setting errno for some reason and you're 're left with whatever happens to be in errno. I'll admit that this particular failure baffles me. I'm not seeing this myself nor am I seeing other reports so it's probably something specific to your environment. Is your server keyed with a DES key? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Processing commands for cont...@bugs.debian.org: tags 604925 moreinfo Bug #604925 [libgssapi-krb5-2] /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze Added tag(s) moreinfo. severity 604925 normal Bug #604925 [libgssapi-krb5-2] /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze Severity set to 'normal' from 'grave' thanks Stopping processing here. Please contact me if you need assistance. -- 604925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org