[OpenAFS] Re: ssh+afs logins fail on IRIX 6.5.15

David R. Steiner david.r.steiner@Dartmouth.EDU
Wed, 29 May 2002 16:36:12 -0400 

>On Wed, May 29, 2002 at 09:21:03AM -0400, Dr A V Le Blanc 
><LeBlanc@mcc.ac.uk> wrote:
>On Tue, 28 May 2002 15:42:58 -0400,
>"David R. Steiner" <david.r.steiner@Dartmouth.EDU> wrote:
>>  I can build OpenSSH and it works fine when the user who is logging in
>>  has a local account. When a user with an AFS account tries to log in,
>>  however it fails with "Permission denied". AFS users can login ok
>>  from the console.
>>
>>  Running 'sshd -d' on the server shows that the Kerberos
>>  authentication fails with "Principal unknown" (see debug output
>>  below).
>
>This is a bug in OpenSSH, which has been reported and ignored
>for a long time.  In auth-krb4.c you'll find a note saying
>
>         * Now that we have a TGT, try to get a local
>         * "rcmd" ticket to ensure that we are not talking
>         * to a bogus Kerberos server.
>
>I don't think this works with Transarc kaservers, and the symptoms
>are as you describe.  I had to delete this section in my ssh source.

I was sort of aware of this part. There is another administrator on 
campus that has successfully built sshd on IRIX and his fix is to add 
a 'return(1)' statement just before the section you refer to which 
should bypass the code section that you commented out.

>Also, since I presume you are using kth kerberos 4, be sure you have
>the right entries in /etc/krb.conf and /etc/krb.realms.

Ok, so here is the part that shows my ignorance of kerberos. :-/ I 
did not have these files installed. After installing krb.conf, I was 
able to authenticate and log in (hurray!) but things are still not 
working quite right. I end up in my proper login directory but don't 
seem to have authorization to run my .cshrc file (~/.cshrc is a 
symlink to ~/private/.cshrc which is 755). The 'tokens' command does 
not list any tokens held by the Cache Manager.

So have I missed yet another simple thing?

Here is what I am seeing on the client side:

[drs-g4:~] user1% ssh -v user1@myhost
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 501 geteuid 501 anon 1
debug1: Connecting to myhost [123.45.67.89] port 22.
debug1: restore_uid
debug1: restore_uid
debug1: Connection established.
debug1: identity file /Users/user1/.ssh/identity type -1
debug1: identity file /Users/user1/.ssh/id_rsa type -1
debug1: identity file /Users/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.2.2p1
debug1: match: OpenSSH_3.2.2p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 126/256
debug1: bits set: 1613/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'myhost' is known and matches the RSA host key.
debug1: Found key in /Users/user1/.ssh/known_hosts:6
debug1: bits set: 1561/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: 
publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /Users/user1/.ssh/identity
debug1: try privkey: /Users/user1/.ssh/id_rsa
debug1: try privkey: /Users/user1/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: 
publickey,password,keyboard-interactive
debug1: next auth method to try is password
user1@myhost's password:
debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug3: Trying to reverse map address 129.170.18.181.
Last login: Wed May 29 15:50:58 2002 from some.where.dartmouth.edu
Environment:
   USER=user1
   LOGNAME=user1
   HOME=/afs/northstar/ufac/user1
   PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/afsws/bin:/usr/ssh/bin:/usr/local/bin
   MAIL=/usr/mail//user1
   SHELL=/bin/tcsh
   TZ=EST5EDT
   SSH_CLIENT=123.45.67.89 49299 22
   SSH_TTY=/dev/ttyq5
   TERM=vt100
   KRBTKFILE=/tmp/tkt12814_120227
debug3: channel_close_fds: channel 0: r -1 w -1 e -1
>  tokens

Tokens held by the Cache Manager:

    --End of list--
>  pwd
/afs/northstar.dartmouth.edu/ufac/user1
>  ls private
Cannot access directory private: Permission denied
>

-- 
David R. Steiner                               david.r.steiner@dartmouth.edu
UNIX System Manager                            Phone:  603.646.3127
Dartmouth College                              Fax:     603.646.1041