Kerberos, external-keyx authentication, Mac OS X - SSH

This is a discussion on Kerberos, external-keyx authentication, Mac OS X - SSH ; Hello: I am trying to build OpenSSH with Kerberos support on my iBook and having a lot of trouble. The configure script lists --with-kerberos5 option and if I compile with this, the libraries are found and I get this at ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos, external-keyx authentication, Mac OS X

  1. Kerberos, external-keyx authentication, Mac OS X

    Hello:

    I am trying to build OpenSSH with Kerberos support on my iBook and
    having a lot of trouble.

    The configure script lists --with-kerberos5 option and if I compile
    with this, the libraries are found and I get this at the end of
    configure



    OpenSSH has been configured with the following options:
    User binaries: /usr/bin
    System binaries: /usr/sbin
    Configuration files: /usr/etc
    Askpass program: /usr/libexec/ssh-askpass
    Manual pages: /usr/share/man/manX
    PID file: /var/run
    Privilege separation chroot path: /var/empty
    sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
    Manpage format: doc
    PAM support: no
    OSF SIA support: no
    KerberosV support: yes
    SELinux support: no
    Smartcard support: no
    S/KEY support: no
    TCP Wrappers support: no
    MD5 password support: no
    libedit support: no
    Solaris process contract support: no
    IP address in $DISPLAY hack: no
    Translate v4 in v6 hack: no
    BSD Auth support: no
    Random number source: OpenSSL internal ONLY

    Host: powerpc-apple-darwin7.9.0
    Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -
    Wsign-compare
    Preprocessor flags: -I/usr/include -I/usr/local/include -I/usr/local/
    include/gssapi
    Linker flags: -L/usr/lib -L/usr/local/lib
    Libraries: -lcrypto -lz -lgssapi_krb5 -lkrb5 -lk5crypto -
    lcom_err



    This looks good, and "make; make install" succeeds without a hitch,
    but still, the final product seems to have no concept of the "external-
    keyx" Authentication which the Fermi Lab server is trying to use. In
    detail:



    crs@crsibook: ssh -v -Y crs@server.gov -o "PreferredAuthentications
    external-keyx"
    OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
    debug1: Reading configuration data /Users/crs/.ssh/config
    debug1: Reading configuration data /usr/etc/ssh_config
    debug1: Connecting to server.gov [...] port 22.
    debug1: Connection established.
    debug1: identity file /Users/crs/.ssh/identity type -1
    debug1: identity file /Users/crs/.ssh/id_rsa type 1
    debug1: identity file /Users/crs/.ssh/id_dsa type -1
    debug1: Remote protocol version 1.99, remote software version
    OpenSSH_3.5p1f12
    debug1: match: OpenSSH_3.5p1f12 pat OpenSSH_3.*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.6
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'server.gov' is known and matches the RSA host key.
    debug1: Found key in /Users/crs/.ssh/known_hosts:26
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: external-
    keyx,gssapi,keyboard-interactive
    debug1: No more authentication methods to try.
    Permission denied (external-keyx,gssapi,keyboard-interactive).




    For comparison, a successful log-in on a linux machine using an older
    version of OpenSSH looks like



    crs@crs1 hmc: ssh35p1f12 -v -X server.gov -o "PreferredAuthentications
    external-keyx"
    OpenSSH_3.5p1f12, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
    31505: debug1: Reading configuration data .../.ssh/config
    31505: debug1: Reading configuration data /etc/ssh/ssh_config
    31505: debug1: Applying options for *
    31505: debug1: Rhosts Authentication disabled, originating port will
    not be trusted.
    31505: debug1: ssh_connect: needpriv 0
    31505: debug1: Connecting to server.gov [... ] port 22.
    31505: debug1: Connection established.
    31505: debug1: identity file .../ crs/.ssh/identity type -1
    31505: debug1: identity file .../crs/.ssh/id_rsa type -1
    31505: debug1: identity file .../crs/.ssh/id_dsa type -1
    31505: debug1: Remote protocol version 1.99, remote software version
    OpenSSH_3.5p1f12
    31505: debug1: match: OpenSSH_3.5p1f12 pat OpenSSH*
    31505: debug1: Enabling compatibility mode for protocol 2.0
    31505: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f12
    31505: debug1: SSH2_MSG_KEXINIT sent
    31505: debug1: SSH2_MSG_KEXINIT received
    31505: debug1: kex: server->client aes128-cbc hmac-md5 none
    31505: debug1: kex: client->server aes128-cbc hmac-md5 none
    31505: debug1: dh_gen_key: priv key bits set: 124/256
    31505: debug1: bits set: 543/1024
    31505: debug1: Calling gss_init_sec_context
    31505: debug1: Delegating credentials
    31505: debug1: Received GSSAPI_COMPLETE
    31505: debug1: Calling gss_init_sec_context
    31505: debug1: Delegating credentials
    31505: debug1: bits set: 516/1024
    31505: debug1: kex_derive_keys
    31505: debug1: newkeys: mode 1
    31505: debug1: SSH2_MSG_NEWKEYS sent
    31505: debug1: waiting for SSH2_MSG_NEWKEYS
    31505: debug1: newkeys: mode 0
    31505: debug1: SSH2_MSG_NEWKEYS received
    31505: debug1: done: ssh_kex2.
    31505: debug1: send SSH2_MSG_SERVICE_REQUEST
    31505: debug1: service_accept: ssh-userauth
    31505: debug1: got SSH2_MSG_SERVICE_ACCEPT
    31505: debug1: authentications that can continue: external-
    keyx,gssapi,keyboard-interactive
    31505: debug1: next auth method to try is external-keyx
    31505: debug1: ssh-userauth2 successful: method external-keyx
    31505: debug1: channel 0: new [client-session]
    31505: debug1: send channel open 0
    31505: debug1: Entering interactive session.


    I am trying to use the most recent version of OpenSSH, 4.6p1, but I
    have also tried with the 3.5p1, which the server uses, and have the
    same problem. I have looked online for help and not been able to find
    it. ... I would appreciate any help you can give me.


  2. Re: Kerberos, external-keyx authentication, Mac OS X


    > Hello:
    > I am trying to build OpenSSH with Kerberos support on my iBook and
    > having a lot of trouble.
    >
    > The configure script lists --with-kerberos5 option and if I compile
    > with this, the libraries are found and I get this at the end of
    > configure
    >
    >
    >
    > OpenSSH has been configured with the following options:
    > User binaries: /usr/bin
    > System binaries: /usr/sbin
    > Configuration files: /usr/etc
    > Askpass program: /usr/libexec/ssh-askpass
    > Manual pages: /usr/share/man/manX
    > PID file: /var/run
    > Privilege separation chroot path: /var/empty
    > sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
    > Manpage format: doc
    > PAM support: no
    > OSF SIA support: no
    > KerberosV support: yes
    > SELinux support: no
    > Smartcard support: no
    > S/KEY support: no
    > TCP Wrappers support: no
    > MD5 password support: no
    > libedit support: no
    > Solaris process contract support: no
    > IP address in $DISPLAY hack: no
    > Translate v4 in v6 hack: no
    > BSD Auth support: no
    > Random number source: OpenSSL internal ONLY
    >
    > Host: powerpc-apple-darwin7.9.0
    > Compiler: gcc
    > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -
    > Wsign-compare
    > Preprocessor flags: -I/usr/include -I/usr/local/include -I/usr/local/
    > include/gssapi
    > Linker flags: -L/usr/lib -L/usr/local/lib
    > Libraries: -lcrypto -lz -lgssapi_krb5 -lkrb5 -lk5crypto -
    > lcom_err
    >
    >
    >
    > This looks good, and "make; make install" succeeds without a hitch,
    > but still, the final product seems to have no concept of the "external-
    > keyx" Authentication which the Fermi Lab server is trying to use. In
    > detail:
    >
    >
    >
    > crs@crsibook: ssh -v -Y crs@server.gov -o "PreferredAuthentications
    > external-keyx"
    > OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
    > debug1: Reading configuration data /Users/crs/.ssh/config
    > debug1: Reading configuration data /usr/etc/ssh_config
    > debug1: Connecting to server.gov [...] port 22.
    > debug1: Connection established.
    > debug1: identity file /Users/crs/.ssh/identity type -1
    > debug1: identity file /Users/crs/.ssh/id_rsa type 1
    > debug1: identity file /Users/crs/.ssh/id_dsa type -1
    > debug1: Remote protocol version 1.99, remote software version
    > OpenSSH_3.5p1f12
    > debug1: match: OpenSSH_3.5p1f12 pat OpenSSH_3.*
    > debug1: Enabling compatibility mode for protocol 2.0
    > debug1: Local version string SSH-2.0-OpenSSH_4.6
    > debug1: SSH2_MSG_KEXINIT sent
    > debug1: SSH2_MSG_KEXINIT received
    > debug1: kex: server->client aes128-cbc hmac-md5 none
    > debug1: kex: client->server aes128-cbc hmac-md5 none
    > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    > debug1: Host 'server.gov' is known and matches the RSA host key.
    > debug1: Found key in /Users/crs/.ssh/known_hosts:26
    > debug1: ssh_rsa_verify: signature correct
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: expecting SSH2_MSG_NEWKEYS
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: SSH2_MSG_SERVICE_REQUEST sent
    > debug1: SSH2_MSG_SERVICE_ACCEPT received
    > debug1: Authentications that can continue: external-
    > keyx,gssapi,keyboard-interactive
    > debug1: No more authentication methods to try.
    > Permission denied (external-keyx,gssapi,keyboard-interactive).
    >
    >
    >
    >
    > For comparison, a successful log-in on a linux machine using an older
    > version of OpenSSH looks like
    >
    >
    >
    > crs@crs1 hmc: ssh35p1f12 -v -X server.gov -o "PreferredAuthentications
    > external-keyx"
    > OpenSSH_3.5p1f12, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
    > 31505: debug1: Reading configuration data .../.ssh/config
    > 31505: debug1: Reading configuration data /etc/ssh/ssh_config
    > 31505: debug1: Applying options for *
    > 31505: debug1: Rhosts Authentication disabled, originating port will
    > not be trusted.
    > 31505: debug1: ssh_connect: needpriv 0
    > 31505: debug1: Connecting to server.gov [... ] port 22.
    > 31505: debug1: Connection established.
    > 31505: debug1: identity file .../ crs/.ssh/identity type -1
    > 31505: debug1: identity file .../crs/.ssh/id_rsa type -1
    > 31505: debug1: identity file .../crs/.ssh/id_dsa type -1
    > 31505: debug1: Remote protocol version 1.99, remote software version
    > OpenSSH_3.5p1f12
    > 31505: debug1: match: OpenSSH_3.5p1f12 pat OpenSSH*
    > 31505: debug1: Enabling compatibility mode for protocol 2.0
    > 31505: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f12
    > 31505: debug1: SSH2_MSG_KEXINIT sent
    > 31505: debug1: SSH2_MSG_KEXINIT received
    > 31505: debug1: kex: server->client aes128-cbc hmac-md5 none
    > 31505: debug1: kex: client->server aes128-cbc hmac-md5 none
    > 31505: debug1: dh_gen_key: priv key bits set: 124/256
    > 31505: debug1: bits set: 543/1024
    > 31505: debug1: Calling gss_init_sec_context
    > 31505: debug1: Delegating credentials
    > 31505: debug1: Received GSSAPI_COMPLETE
    > 31505: debug1: Calling gss_init_sec_context
    > 31505: debug1: Delegating credentials
    > 31505: debug1: bits set: 516/1024
    > 31505: debug1: kex_derive_keys
    > 31505: debug1: newkeys: mode 1
    > 31505: debug1: SSH2_MSG_NEWKEYS sent
    > 31505: debug1: waiting for SSH2_MSG_NEWKEYS
    > 31505: debug1: newkeys: mode 0
    > 31505: debug1: SSH2_MSG_NEWKEYS received
    > 31505: debug1: done: ssh_kex2.
    > 31505: debug1: send SSH2_MSG_SERVICE_REQUEST
    > 31505: debug1: service_accept: ssh-userauth
    > 31505: debug1: got SSH2_MSG_SERVICE_ACCEPT
    > 31505: debug1: authentications that can continue: external-
    > keyx,gssapi,keyboard-interactive
    > 31505: debug1: next auth method to try is external-keyx
    > 31505: debug1: ssh-userauth2 successful: method external-keyx
    > 31505: debug1: channel 0: new [client-session]
    > 31505: debug1: send channel open 0
    > 31505: debug1: Entering interactive session.
    >
    > I am trying to use the most recent version of OpenSSH, 4.6p1, but I
    > have also tried with the 3.5p1, which the server uses, and have the
    > same problem. I have looked online for help and not been able to find
    > it. ... I would appreciate any help you can give me.


    Short answer: stock OpenSSH does not support external-keyx authentication.

    Explanation: external-keyx is an older name for what is now called
    gssapi-keyex (the modern method is also improved technically). SSH
    authentication proceeds in two phases. First, during a part of connection
    setup called the "key exchange," the client authenticates the server, to
    prevent spoofing and man-in-the-middle attacks. Later on, the server
    authenticates the client, in order to grant access to resources
    (e.g. allow you to login to some account). If you use Kerberos in the
    first phase, to authenticate the server, then because of the way Kerberos
    works you authenticate the client as well in the same exchange. The
    gssapi-keyex client authentication methods says, "Look -- you already
    authenticated me during the key exchange; just look at that and let me
    in."

    Note that gssapi-keyex is not the only way to get kerberized client
    authentication; it's just an optimization in case you happen to have used
    Kerberos during the key exchange. You can always just use Kerberos
    directly. This is what the gssapi-with-mic method does. Similarly, this
    method has an older version called just "gssapi", which is now deprecated
    and often no longer implemented because of security problems.

    OpenSSH as it comes from openssh.com supports Kerberos only for client
    authentication, not server, and hence does not implement gssapi-keyex.
    However, there are common derivatives of OpenSSH which do implement both.
    There is a patch which adds both to OpenSSH:

    http://www.sxw.org.uk/computing/patches/openssh.html

    In addition, the Debian ssh-krb5 package and the OS X build of OpenSSH
    both support these. So, the ssh that is already on your OS X box would in
    principle be able to use Kerberos to log into your server. But it won't,
    because your server is using the older, obsolete protocols external-keyx
    and gssapi, instead of the modern versions that OS X OpenSSH supports,
    gssapi-keyex and gssapi-with-mic. The OpenSSH you built would not do a
    kerberized key exchange, but would be able to use Kerberos for client
    authentication -- except that it too no longer implements "gssapi" in
    favor of gssapi-with-mic.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread