Bug 614 - bug in krb4 support for OpenSSH on IRIX 64-bit ABI
Summary: bug in krb4 support for OpenSSH on IRIX 64-bit ABI
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 3.6.1p2
Hardware: MIPS IRIX
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL: http://lib.natur.cuni.cz/komanek/webl...
Keywords:
Depends on:
Blocks:
 
Reported: 2003-07-10 15:24 AEST by David Komanek
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Komanek 2003-07-10 15:24:47 AEST 
Problem: 'ssh' binary works except krb4 authorization. Issuing

kinit username; ssh -v -1 host

at the end of the debug output one gets following:

debug1: Trying Kerberos v4 authentication.
debug1: Kerberos v4 authentication accepted.
Disconnecting: Kerberos v4 challenge failed!

So the problem is a post-authentication issue on SGI IRIX 6.5.x if OpenSSH is
compiled with 64-bit ABI (both 'cc -64' and 'gcc -mabi=64'). No such problem
appears if any of 32-bit ABIs is used.

Cause: Incorrectly calculated checksum after the Kerberos 4 server response.
Comment 1 David Komanek 2003-07-10 15:27:49 AEST 
Solution: you can either use 32-bit version of 'ssh' binary (note: you will need
32-bit versions of libraries in krb4 and openssl for linking this one binary, so
it is probably better to compile whole OpenSSH distribution in 32-bit version),
or to apply the following patch to 'sshconnect1.c' and recompile/reinstall OpenSSH:

*** ./openssh-3.6p1-orig/sshconnect1.c Wed Jul 9 13:55:37 2003 
--- ./openssh-3.6p1/sshconnect1.c Wed Jul 9 15:31:42 2003 
*************** 
*** 484,489 **** 
--- 484,492 ---- 
/* Fetch the (incremented) checksum that we supplied in the request. */ 
memcpy((char *)&cksum, (char *)msg_data.app_data,sizeof(cksum)); 
+ #ifdef _MIPS_SIM_ABI64 
+ cksum >>= 32; 
+ #endif 
cksum = ntohl(cksum); 

/* If it matches, we're golden. */ 


Tested on: SGI Irix 6.5.20, OpenSSH 3.6p1, MIPSPro Compiler 7.2.1 (patched) /
SGI Freeware GCC 3.2.2
Comment 2 Darren Tucker 2003-07-10 16:16:24 AEST 
Before closing this bug, should that patch be applied to the tree?
Comment 3 Damien Miller 2003-07-10 19:10:32 AEST 
maybe cksum should be u_int32_t?
Comment 4 Darren Tucker 2003-07-14 16:54:01 AEST 
I don't speak kerberos but if cksum is supposed to be a 32bit entity then yeah,
I guess that would work.
Comment 5 Darren Tucker 2003-08-22 12:46:33 AEST 
Krb4 (and AFS) support has been removed from the tree.

20030802
 - (dtucker) OpenBSD CVS Sync
   - markus@cvs.openbsd.org 2003/07/22 13:35:22
     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
     test+ok henning@
 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
Comment 6 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED