Project

General

Profile

Bug #3277

OpenSSH 6.x package doesn't support Kerberos

Added by Predrag Zečević over 6 years ago. Updated about 6 years ago.

Status:
New
Priority:
Normal
Assignee:
Start date:
2012-10-15
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Hi,

i was positively surprised when i saw OpenSSH packages available on SFE...
Could nto wait for explanation, so have installed it (well, wasn't so simple, first had to removed old and then add new packages):

$ pfexec pkg uninstall -v pkg://openindiana.org/service/network/ssh pkg://openindiana.org/network/ssh pkg://openindiana.org/network/ssh/ssh-key

$ pfexec pkg install -v pkg://sfe/network/openssh pkg://sfe/network/openssh/ssh-key pkg://sfe/service/network/openssh

Re-used host key files (irrelevant), and tried to connect to one of our boxes (yes, we use Kerberos/LDAP backend and OLD SunSSH was working):

$ kinit -p predrag_zecevic

$ ssh -v BOX
OpenSSH_6.1p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /export/home/predrag/.ssh/config
debug1: /export/home/predrag/.ssh/config line 6: Applying options for *int
debug1: /export/home/predrag/.ssh/config line 64: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
/etc/ssh/ssh_config line 27: Unsupported option "GSSAPIAuthentication" 
/etc/ssh/ssh_config line 28: Unsupported option "GSSAPIDelegateCredentials" 
...
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic).

and connections wasn't established.

More interesting, package contents (ssh command) looks just fine:

$which ssh
/usr/bin/ssh

$ pkg search -l /usr/bin/ssh
INDEX      ACTION VALUE       PACKAGE
path       file   usr/bin/ssh pkg:/network/openssh@6.1.1-0.151.1.7

$ ldd $(which ssh)
        libresolv.so.2 =>        /usr/lib/libresolv.so.2
        libcrypto.so.0.9.8 =>    /usr/lib/libcrypto.so.0.9.8
        libldns.so.1 =>  /usr/lib/libldns.so.1
        libz.so.1 =>     /usr/lib/libz.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libkrb5.so.1 =>  /usr/lib/libkrb5.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libmd.so.1 =>    /lib/libmd.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        mech_krb5.so.1 =>        /usr/lib/gss/mech_krb5.so.1
        libgss.so.1 =>   /usr/lib/libgss.so.1
        libpkcs11.so.1 =>        /usr/lib/libpkcs11.so.1
        libkstat.so.1 =>         /lib/libkstat.so.1
        libcryptoutil.so.1 =>    /lib/libcryptoutil.so.1
        libm.so.2 =>     /lib/libm.so.2

Should i revert OR it is just something i am missing to set?

Regards.

History

#1

Updated by Milan Jurik over 6 years ago

  • Assignee set to Milan Jurik
#2

Updated by Predrag Zečević over 6 years ago

Hi,

i am very interested in progress on this issue.
Any plans?

Regards.

#3

Updated by Milan Jurik over 6 years ago

No plan from my side yet. Help welcomed because I am busy with more important things for me. I recommend to revert for now or investigate yourself if you need solution asap.

#4

Updated by Predrag Zečević over 6 years ago

Hi again,

if i compile and install kerberos 5 and then use it for openssh compilation, everything works fine.

It looks like SFE dosn't have spec file for kerberos 5, so my question is where binaries are supposed to go, so i can give it a try?

Thanks an regards.

#5

Updated by Milan Jurik over 6 years ago

Which Kerberos implementation did you use?

#6

Updated by Predrag Zečević over 6 years ago

Hi,

I have used MIT implementation: http://web.mit.edu/kerberos/ (krb5-1.10.3),

$ ./configure --prefix=/opt/sfw/kerberos5 --with-ldap # prefix used just for testing purposes

# From config.log:
...
configure:2847: /opt/solstudio12.2/bin/cc -m32 -V >&5
cc: Sun C 5.11 SunOS_i386 2010/08/13
...

One of my doubts: where to install MIT kerberos-5 package(s), so it can be used in parallel with OI one?
(maybe /usr/sfw/kerebros-5 and new spec file has to be created)

Regards.

#7

Updated by Predrag Zečević over 6 years ago

Hi,

just FYI, krb5-1.11 compiles equally easy as krb5-1.10.3 (using same compiler and same options), and LDAP libraries are NOT from OpenLDAP (installed) but OI bundled (from Solaris/OpenSolaris NSS) ones...

Regards.

#8

Updated by Predrag Zečević about 6 years ago

Managed to compile:
  • OpenLDAP 2.4.35
  • OpenSSL 1.0.1e
  • MIT Kerberos 5 1.11.1
  • OpenSSH 6.2p1

together, using solarisstudio12.3 (not sure if that was clever, but anyway).

PREFIX variable contains destination directory (i didn't want to mess up existing s/w, even building of it was done in zone), and i have configured /var/ld/ld.config (using crle command) to have ${PREFIX}/lib in front of path.

Software was compiled using '-m32' switch (only 32bit binaries).

  • OpenSSL
    ./Configure --openssldir=${PREFIX} \\
    solaris-x86-cc shared zlib zlib-dynamic
    PATH=/opt/solarisstudio12.3/bin:${PATH} gmake
    PATH=/opt/solarisstudio12.3/bin:${PATH} pfexec gmake install
  • OpenLDAP
    ./configure --prefix=${PREFIX} \\
    --with-tls=openssl \\
    --enable-mdb=no \\
    --enable-crypt
    gmake depend
    gmake
    pfexec gmake install
  • MIT Kerberos-5
    ./configure --prefix=${PREFIX} \\
    --sysconfdir=${PREFIX}/etc/krb5 \\
    --with-ldap \\
    --with-readline
    gmake
    pfexec gmake install
  • OpenSSH
    ./configure --prefix=${PREFIX} \\
    --sysconfdir=${PREFIX}/etc/openssh \\
    --with-kerberos5=${PREFIX} \\
    --with-ssl-dir=${PREFIX} \\
    --with-pam \\
    --with-xauth=/usr/bin/xauth \\
    --with-md5-passwords \\
    --with-mantype=man
    gmake
    pfexec gmake install

For OpenSSH, I have adopted manifest and method files, so i can post them here if required (it wasn't so heavy).

$ svcs -a | grep ssh
disabled May_06 svc:/network/ssh:default
online May_06 svc:/network/openssh:default

$ ssh -VV
OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013

NOTE: put PREFIX in front of PATH variable, so new package will be used.

I had to adopt few more things (super user role needed):

  1. OpenLDAP configuration is sym-linked to /etc/openldap:
    ln -s /etc/openldap ${PREFIX}/etc/openldap
  2. Kerberos setup also:
    ln -s /etc/krb5 ${PREFIX}/etc/krb5
  3. OpenSSH uses ${PREFIX}/etc/openssh as configuration directory (i just have copied host key from system wide location, it is convenient).

Now i can use latest s/w in our kerberized environment... Just FYI.

Regards.

Also available in: Atom PDF