Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 483640 - >=net-misc/openssh-6.0 fails to authenticate via GSSAPI with UsePrivilegeSeparation sandbox
Summary: >=net-misc/openssh-6.0 fails to authenticate via GSSAPI with UsePrivilegeSepa...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-04 20:36 UTC by masc
Modified: 2014-03-28 06:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
patch to load oids before privsep (cache_oids_before_privsep.patch,3.26 KB, patch)
2014-02-27 12:00 UTC, Georg Hopp 		Details | Diff
ebuild that applies the patch (openssh-6.4_p1-r1.ebuild,9.22 KB, text/plain)
2014-02-27 12:01 UTC, Georg Hopp 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description masc 2013-09-04 20:36:55 UTC 
See summary. The connection will close down without apparent reason or information (even with DEBUG3).

"UsePrivilegeSeparation sandbox" has been added to sshd_config since openssh-6.0. Setting UsePrivilegeSeparation to yes (sshd default) resolves the issue.

sandbox works fine with 5.9 though.

Reproducible: Always




Server side log excerpt:

...
Sep  4 22:29:05 q sshd[21394]: debug1: userauth-request for user <..> service ssh-connection method gssapi-with-mic [preauth]
Sep  4 22:29:05 q sshd[21394]: debug1: attempt 1 failures 0 [preauth]
Sep  4 22:29:05 q sshd[21394]: debug2: input_userauth_request: try method gssapi-with-mic [preauth]
Sep  4 22:29:05 q sshd[21394]: debug1: monitor_read_log: child log fd closed
Sep  4 22:29:05 q sshd[21394]: debug3: mm_request_receive entering
Sep  4 22:29:05 q sshd[21394]: debug1: do_cleanup
Sep  4 22:29:05 q sshd[21394]: debug1: PAM: cleanup
Sep  4 22:29:05 q sshd[21394]: debug3: PAM: sshpam_thread_cleanup entering
Sep  4 22:29:05 q sshd[21394]: debug1: Killing privsep child 21397

Client side output excerpt:

...
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by 192.168.0.203
Comment 1 Georg Hopp 2014-02-22 17:44:32 UTC 
I can confirm this.

I came across this issue when setting up a central user management
for windows and linux workstations with samba4.

It took me nearly a week and some mails with Sumit Bose on samba-technical. After nothing helped I decided to gdb sshd and turned off privilege separation and suddenly everything worked.

I wrote a bug report to openssh to ask if this can be fixed or at least bring sshd to give some useful information when in debug mode.

regards
   Georg Hopp
Comment 2 Georg Hopp 2014-02-24 09:22:48 UTC 
Hi again,

FYI

On the OpenSSH bugzilla a patch is provided that does the gssapi initialization before privsep is in place in this ticket.

https://bugzilla.mindrot.org/show_bug.cgi?id=2107

I can confirm that this patch fixes the issue for me now without
any sideeffects. I will add this patch to all my machines now for a long
time test.

I applied it against 6.4p1.

Best regards
    Georg Hopp
Comment 3 Georg Hopp 2014-02-27 12:00:20 UTC 
Created attachment 371388 [details, diff]
patch to load oids before privsep

This one is a copy of the patch that is now commited to openssh 6.6.
Comment 4 Georg Hopp 2014-02-27 12:01:40 UTC 
Created attachment 371390 [details]
ebuild that applies the patch
Comment 5 Georg Hopp 2014-02-27 12:05:52 UTC 
Hi,

the patch is now committed for openssh 6.6.

I think it might be beneficial to add it to the current stable
ebuild. Which is 6.4p1 for me but I failed to make a recent update, sorry.

Anyway, it applied nice against 6.4.

I attached the patch and my modified ebuild.


best regards

   Georg
Comment 6 SpanKY gentoo-dev 2014-03-28 06:38:41 UTC 
openssh-6.6 is stable in Gentoo now, so it sounds like we're all set.  thanks!