Re: OpenSSH: Password/Key + Kerberos Authentification

Hi all,

on RH 8.0 are probably a few things changed, which influence the behavior of functions generating unique temporary files. It has consequences for krb ticket manipulating routines. We are running OpenSSH 3.5p1 against krb4 and have solved this problem by the changed attache bellow. My colleague sent this patch I wrote a few days ago to OpenSSH developers, so I hope some sort of this will be included in the next release.

Best regards,

  David Komanek
  Charles University in Prague
  Faculty of Science
  CZ

• exceprt from the patch submission

Dear developers,

recently I tried to compile kerberos4 authentization support in openssh-3.5p1 on Redhat 8.0, unfortunately autentization against kerberos server in a kerberos4 realm doesn't work well, probably due to the bug in auth-krb4.c. My colleague David Komanek wrote patch to this file solving the problem, so credits goes to him. I'm sending this here, believing that it can help somebody else.

PROBLEM DESCRIPTION:
SSH Daemon isn't able to authenticate user against kerberos4 server, although he accepts already authenticated ssh client user with a valid ticket (already authenticated client via 'kinit' command, supported only using ssh client with ssh protocol version 1).  Daemon logs: "WARNING: bad ticket file /tmp/tkt500_22696" and "Couldn't initialize Kerberos ticket file for user!" - and goes to the next authentication method (local password).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

SOLUTION
Problem lies in using the function mkstemp() in auth-krb4.c. We didn't test this on other linux distributions, but most probably changing some of libc library in Redhat 8.0 results in mkstemp() returning error.

PATCH

• ../openssh-3.5p1/auth-krb4.c 2002-09-27 05:26:00.000000000 +0200
  --- auth-krb4.c 2003-02-12 14:52:43.000000000 +0100
  

  ---

• 58,63 **** tkt_root = "/ticket/"; #endif /* AFS */ ! snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld", tkt_root, authctxt->pw->pw_uid, (long)getpid()); krb_set_tkt_string(authctxt->krb4_ticket_file); }
  --- 58,66 ----
  tkt_root = "/ticket/"; #endif /* AFS */ ! char docasny[MAXPATHLEN + 1]; ! snprintf(docasny, MAXPATHLEN, "%s%u_%ld_XXXXXX", tkt_root, authctxt->pw->pw_uid, (long)getpid()); + snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s", mktemp(docasny)); + memset(docasny, '\0', MAXPATHLEN); krb_set_tkt_string(authctxt->krb4_ticket_file); }

  ---

• 68,72 **** } /* Try to create our ticket file. */ ! if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) { close(fd); return (1);
  --- 71,75 ----
  } /* Try to create our ticket file. */ ! if ((fd = open(authctxt->krb4_ticket_file, O_RDWR | O_EXCL | O_CREAT)) >= 0) { close(fd); return (1);