Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#32966 - openssh GSSAPI authentication
Attached to Project:
Arch Linux
Opened by Andrew Gunnerson (chenxiaolong) - Wednesday, 05 December 2012, 03:20 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 06 December 2012, 21:21 GMT
Opened by Andrew Gunnerson (chenxiaolong) - Wednesday, 05 December 2012, 03:20 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 06 December 2012, 21:21 GMT
|
DetailsFor some reason, GSSAPI authentication in openssh is not working in Arch Linux. When connecting from the client (on any distribution), the connection always fails with "Connection closed by UNKNOWN" and the server side doesn't produce any error messages (and doesn't log anything unless I set the logging level to debug3).
Client (with "-vvv"): http://pastie.org/pastes/5481968/text Server (with debug3 logging): http://pastie.org/pastes/5481975/text sshd_config: http://pastie.org/pastes/5481978/text I'm using the exact same configuration file for my other servers (running other distros) and they all work fine. I'm not sure why it's not working for Arch though. I tried compiling my own openssh binaries and the problem still persists, so it may be a problem with one of the dependencies. In case it matters, Arch Linux client connecting to other ssh servers with GSSAPI authentication works fine, but not the other way around. |
This task depends upon
Closed by Gaetan Bisson (vesath)
Thursday, 06 December 2012, 21:21 GMT
Reason for closing: Not a bug
Thursday, 06 December 2012, 21:21 GMT
Reason for closing: Not a bug
Could you try building openssh with exactly the same tarball and options on Arch and another platform where it works? Comparing the two config.log might give us an obvious answer as to what is wrong.
One of my servers (running Ubuntu) has version 6.0p1 of the OpenSSH server and the kdc server (running Fedora) has version 6.1p1. I'll try compiling with the same options on Arch and Fedora and I'll post the config.log files here.
Fedora:
Build log: http://ompldr.org/vZ2tsbA/sshbuild.log
config.log: http://ompldr.org/vZ2tsbQ/config.log
Arch:
Build log: http://ompldr.org/vZ2tsbw/sshbuild.log
config.log: http://ompldr.org/vZ2tscQ/config.log
I used this script to build OpenSSH: http://ompldr.org/vZ2tseg/compile_openssh.sh
Arch's OpenSSH in the repositories works perfectly fine when UsePrivilegeSeparation is turned off. Now, I wonder why the nobody user prevents GSSAPI from working.
$ adduser --system sshdaemon
and then compiling OpenSSH with the "--with-privsep-user=sshdaemon" option, but that fails with the same error message.
Let me know if there is any change I could make to the package that would make sense and restore the GSSAPI features.
From http://www.openssh.com/txt/release-5.9: OpenSSH is using the systrace sandbox by default, which (I assume because of the syscall whitelist) is too limiting for GSSAPI. Looking at the packaging for other distros, they all seem to be working around this in one way or another.
Ubuntu (Line 306: http://tinyurl.com/alu6ypw) is not using the sandbox at all. They just set UsePrivilegeSeparation to "yes" to avoid the issue.
Fedora (Line 531: http://tinyurl.com/bxo3kob) and openSUSE (Line 142: http://tinyurl.com/cfbordn) are both using rlimit as the sandboxing mechanism.
I'm not sure which method you would prefer. I would personally compile with "--with-sandbox=rlimit".
Since the default sshd_config turns GSSAPI off, I guess it is reasonable to expect anyone turning it on to also disable sandboxing.
So I am inclined to do nothing unless I have missed a simple way to make this easier on GSSAPI users without impacting the majority of us who just want the best possible options by default.