[OpenAFS] Re: ssh+afs logins fail on IRIX 6.5.15
David R. Steiner
david.r.steiner@Dartmouth.EDU
Wed, 29 May 2002 16:36:12 -0400
>On Wed, May 29, 2002 at 09:21:03AM -0400, Dr A V Le Blanc
><LeBlanc@mcc.ac.uk> wrote:
>On Tue, 28 May 2002 15:42:58 -0400,
>"David R. Steiner" <david.r.steiner@Dartmouth.EDU> wrote:
>> I can build OpenSSH and it works fine when the user who is logging in
>> has a local account. When a user with an AFS account tries to log in,
>> however it fails with "Permission denied". AFS users can login ok
>> from the console.
>>
>> Running 'sshd -d' on the server shows that the Kerberos
>> authentication fails with "Principal unknown" (see debug output
>> below).
>
>This is a bug in OpenSSH, which has been reported and ignored
>for a long time. In auth-krb4.c you'll find a note saying
>
> * Now that we have a TGT, try to get a local
> * "rcmd" ticket to ensure that we are not talking
> * to a bogus Kerberos server.
>
>I don't think this works with Transarc kaservers, and the symptoms
>are as you describe. I had to delete this section in my ssh source.
I was sort of aware of this part. There is another administrator on
campus that has successfully built sshd on IRIX and his fix is to add
a 'return(1)' statement just before the section you refer to which
should bypass the code section that you commented out.
>Also, since I presume you are using kth kerberos 4, be sure you have
>the right entries in /etc/krb.conf and /etc/krb.realms.
Ok, so here is the part that shows my ignorance of kerberos. :-/ I
did not have these files installed. After installing krb.conf, I was
able to authenticate and log in (hurray!) but things are still not
working quite right. I end up in my proper login directory but don't
seem to have authorization to run my .cshrc file (~/.cshrc is a
symlink to ~/private/.cshrc which is 755). The 'tokens' command does
not list any tokens held by the Cache Manager.
So have I missed yet another simple thing?
Here is what I am seeing on the client side:
[drs-g4:~] user1% ssh -v user1@myhost
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 501 geteuid 501 anon 1
debug1: Connecting to myhost [123.45.67.89] port 22.
debug1: restore_uid
debug1: restore_uid
debug1: Connection established.
debug1: identity file /Users/user1/.ssh/identity type -1
debug1: identity file /Users/user1/.ssh/id_rsa type -1
debug1: identity file /Users/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.2.2p1
debug1: match: OpenSSH_3.2.2p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 126/256
debug1: bits set: 1613/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'myhost' is known and matches the RSA host key.
debug1: Found key in /Users/user1/.ssh/known_hosts:6
debug1: bits set: 1561/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /Users/user1/.ssh/identity
debug1: try privkey: /Users/user1/.ssh/id_rsa
debug1: try privkey: /Users/user1/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug1: next auth method to try is password
user1@myhost's password:
debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug3: Trying to reverse map address 129.170.18.181.
Last login: Wed May 29 15:50:58 2002 from some.where.dartmouth.edu
Environment:
USER=user1
LOGNAME=user1
HOME=/afs/northstar/ufac/user1
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/afsws/bin:/usr/ssh/bin:/usr/local/bin
MAIL=/usr/mail//user1
SHELL=/bin/tcsh
TZ=EST5EDT
SSH_CLIENT=123.45.67.89 49299 22
SSH_TTY=/dev/ttyq5
TERM=vt100
KRBTKFILE=/tmp/tkt12814_120227
debug3: channel_close_fds: channel 0: r -1 w -1 e -1
> tokens
Tokens held by the Cache Manager:
--End of list--
> pwd
/afs/northstar.dartmouth.edu/ufac/user1
> ls private
Cannot access directory private: Permission denied
>
--
David R. Steiner david.r.steiner@dartmouth.edu
UNIX System Manager Phone: 603.646.3127
Dartmouth College Fax: 603.646.1041