[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#240953: marked as done (ssh: broken pam_krb5)

Your message dated Tue, 11 Jan 2005 01:14:08 +0000
with message-id <20050111011408.GD26924@riva.ucam.org>
and subject line Bug#240953: ssh: broken pam_krb5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 30 Mar 2004 01:58:27 +0000
>From nemesis@dbz.icequake.net Mon Mar 29 17:58:27 2004
Return-path: <nemesis@dbz.icequake.net>
Received: from 216-229-91-229-empty.fidnet.com (mail.icequake.net) [216.229.91.229] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1B88WJ-0000NJ-00; Mon, 29 Mar 2004 17:58:27 -0800
Received: from dbz (dbz.icequake.net [216.229.91.244])
	by mail.icequake.net (Postfix) with ESMTP
	id 7DD7058; Mon, 29 Mar 2004 19:58:25 -0600 (CST)
Received: from nemesis by dbz with local (Exim 3.36 #1 (Debian))
	id 1B88WG-0001WK-00; Mon, 29 Mar 2004 19:58:24 -0600
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ryan Underwood <nemesis@dbz.icequake.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: broken pam_krb5
X-Mailer: reportbug 2.55
Date: Mon, 29 Mar 2004 19:58:24 -0600
Message-Id: <E1B88WG-0001WK-00@dbz>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: ssh
Version: 1:3.8p1-2
Severity: normal


Usage of OpenSSH with pam_krb5 has been broken for some versions now.
The fix suggested by OpenAFS mailing list is to build OpenSSH with
pthread support (so auth-pam.c will use real threads instead of
simulating threads with child processes).  However, after doing so, sshd
no longer functions properly:
Mar 29 18:45:18 zephyr sshd[29706]: fatal: buffer_get: trying to get
more bytes 4 than in buffer 0

I'm not sure if this is related to the Debian package, or a bug for
upstream, since others claimed it was working for them.

The patch for building w/pthread is here:
http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0402/61.html


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.25
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages ssh depends on:
ii  adduser                     3.51         Add and remove users and groups
ii  debconf                     1.4.16       Debian configuration management sy
ii  dpkg                        1.10.20      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-15      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-15      Runtime support for the PAM librar
ii  libpam0g                    0.76-15      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7c-5     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1-5    compression library - runtime

-- debconf information:
  ssh/insecure_rshd: 
  ssh/privsep_ask: true
  ssh/user_environment_tell: 
* ssh/forward_warning: 
  ssh/insecure_telnetd: 
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell: 
  ssh/ssh2_keys_merged: 
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen: 
* ssh/run_sshd: true

---------------------------------------
Received: (at 240953-done) by bugs.debian.org; 11 Jan 2005 03:23:10 +0000
>From cjwatson@flatline.org.uk Mon Jan 10 19:23:09 2005
Return-path: <cjwatson@flatline.org.uk>
Received: from chiark.greenend.org.uk [193.201.200.170] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CoCcf-0000GF-00; Mon, 10 Jan 2005 19:23:09 -0800
Received: from [192.168.124.112] (helo=riva.lab.dotat.at)
	by chiark.greenend.org.uk (Debian Exim 3.35 #1) with esmtp
	(return-path cjwatson@flatline.org.uk)
	id 1CoCce-0000aK-00
	for 240953-done@bugs.debian.org; Tue, 11 Jan 2005 03:23:08 +0000
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
	for 240953-done@bugs.debian.org
	id 1CoAbo-0007vY-00; Tue, 11 Jan 2005 01:14:08 +0000
Date: Tue, 11 Jan 2005 01:14:08 +0000
From: Colin Watson <cjwatson@debian.org>
To: 240953-done@bugs.debian.org
Subject: Re: Bug#240953: ssh: broken pam_krb5
Message-ID: <20050111011408.GD26924@riva.ucam.org>
References: <E1B88WG-0001WK-00@dbz> <20040330025306.GB32058@riva.ucam.org> <20040330123218.GA15217@dbz.icequake.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040330123218.GA15217@dbz.icequake.net>
User-Agent: Mutt/1.3.28i
Delivered-To: 240953-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On Tue, Mar 30, 2004 at 06:32:18AM -0600, Ryan Underwood wrote:
> On Tue, Mar 30, 2004 at 03:53:06AM +0100, Colin Watson wrote:
> > On Mon, Mar 29, 2004 at 07:58:24PM -0600, Ryan Underwood wrote:
> > > Usage of OpenSSH with pam_krb5 has been broken for some versions now.
> > 
> > Don't you have to use ssh-krb5 for this?
> 
> No.  I had a working setup that was broken at ssh 3.7*.  This is
> different from GSS-API krb5 which has kerberos support compiled directly
> into the ssh server.
> 
> pam_krb5 is used at auth and session stages to verify the user's
> password with the MIT krb5 server and to create a credentials cache.
> The privsep and related work has changed the way pam modules are run,
> which causes pam_krb5 to not be able to pass the credentials to the
> user's eventual shell.  Thus, the user can pass authentication against
> the kerberos server, but when he gets a shell, he has no credentials.
> 
> Building ssh with pthreads is a claimed fix by many people, but building
> the Debian version with that patch gave the aforementioned error when a
> user tries to log in.  A similar fix is in SuSE 9.0 and Gentoo it seems.

On the advice of the Debian PAM maintainer, I enabled POSIX threads in
openssh 1:3.8.1p1-8.sarge.3 / 1:3.8.1p1-13. Let me know if you still
have the aforementioned login problem with these packages.

openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low

  * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
  * debconf template translations:
    - Update Dutch (thanks, cobaco; closes: #278715).
  * Correct README.Debian's ForwardX11Trusted description (closes: #280190).

 -- Colin Watson <cjwatson@debian.org>  Fri, 12 Nov 2004 10:31:12 +0000

openssh (1:3.8.1p1-13) experimental; urgency=low

  * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
  * debconf template translations:
    - Update Dutch (thanks, cobaco; closes: #278715).
  * Correct README.Debian's ForwardX11Trusted description (closes: #280190).

 -- Colin Watson <cjwatson@debian.org>  Fri, 12 Nov 2004 12:03:13 +0000

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: