[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

openssh 4.0p1 + heimdal 0.6.3 + GSSAPIDelegateCredentials = wrongticket address?



I'm having a bit of an odd problem with OpenSSH 4.0p1 and Heimdal 0.6.3,
involving GSSAPI authentication and delegation (ticket forwarding).  The
forwarded tickets have the originating system's address, not that of the
receiving system.  See attached typescript ("klist -T -v"s before and
during an ssh session).

I can't see anything in the OpenSSH code that would cause this, as it
simply hands everything off to the GSSAPI library.  And I can't imagine
that this is intended behavior; isn't the point of ticket forwarding
that the forwarded tickets have the correct machine address?  Is there
some configure (openssh or heimdal) option or krb5.conf stanza I should
be using to make this work correctly (hopefully not addressless tickets,
although I suppose if that's really needed...).

openssh and heimdal config information available on request (or look
in /afs/ece.cmu.edu/support/{heimdal/0.6.3-global,openssh/4.0p1}/build/*) if you have AFS; they should be system:anyuser rl; krb5.conf is in /afs/ece.cmu.edu/service/krb5.conf).

Thanks in advance.

-- 
brandon s. allbery   [linux,solaris,freebsd,perl]      allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH
Script started on Thu Mar 31 13:47:50 2005
/afs/ece/usr/allbery/.bashrc:1144: command not found: bindkey
]1;hilfy]2;sun4x_58: hilfy {allbery} [~]]1;hilfy]2;sun4x_58: hilfy {allbery} [~]]2;sun4x_58: hilfy {allbery} [~]
3@hilfy:533 Z$ s kkauth
]2;sun4x_58: hilfy {allbery} [~]: _my_kauthallbery@ECE.CMU.EDU's Password: 
]1;hilfy]2;sun4x_58: hilfy {allbery} [~]]2;sun4x_58: hilfy {allbery} [~]
3@hilfy:534 Z$ kklist -v -T
]2;sun4x_58: hilfy {allbery} [~]: klist -v -TCredentials cache: FILE:/tmp/krb5cc_546_3214
        Principal: allbery@ECE.CMU.EDU
    Cache version: 4

Server: krbtgt/ECE.CMU.EDU@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 8
Auth time:  Mar 31 13:48:13 2005
End time:   Apr  1 14:48:13 2005
Renew till: Apr 30 14:48:13 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:128.2.136.133

Server: afs@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 3
Auth time:  Mar 31 13:48:13 2005
End time:   Apr  1 14:48:13 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.133


   V4-ticket file: /tmp/tkt546_3037_3214
        Principal: allbery@ECE.CMU.EDU

  Issued           Expires          Principal (kvno)                
Mar 31 13:48:13  Apr  1 15:14:34  krbtgt.ECE.CMU.EDU@ECE.CMU.EDU (8)

Mar 31 13:48:13  Apr  1 15:14:34  User's (AFS ID 546) tokens for ece.cmu.edu (213)
]2;sun4x_58: hilfy {allbery} [~]
3@hilfy:535 Z$ sssh tully
]2;sun4x_58: hilfy {allbery} [~]: _my_ssh tullyLast login: Thu Mar 31 12:16:05 2005 from pyanfar.ece.cmu.edu
Have a lot of fun...
/usr/X11R6/bin/xauth:  timeout in locking authority file /afs/ece/usr/allbery/.Xauthority
]1;tully]2;i386_suse90: tully {allbery:} [~]]1;tully]2;i386_suse90: tully {allbery:} [~]]2;i386_suse90: tully {allbery:} [~]tully:536 Z$ kklist -T -v
]2;i386_suse90: tully {allbery:} [~]: klist -T -vCredentials cache: FILE:/tmp/krb5cc_j18894
        Principal: allbery@ECE.CMU.EDU
    Cache version: 4

Server: krbtgt/ECE.CMU.EDU@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 8
Auth time:  Mar 31 13:48:13 2005
Start time: Mar 31 13:49:01 2005
End time:   Apr  1 14:48:13 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.133

Server: afs@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 3
Auth time:  Mar 31 13:48:13 2005
Start time: Mar 31 13:49:22 2005
End time:   Apr  1 14:48:13 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.133


   V4-ticket file: /tmp/tkt546
        Principal: allbery@ECE.CMU.EDU

  Issued           Expires          Principal (kvno)                
Mar 31 12:16:05  Apr  1 13:42:26  krbtgt.ECE.CMU.EDU@ECE.CMU.EDU (8)
Mar 31 12:16:21  Apr  1 12:03:59  zephyr.zephyr@ECE.CMU.EDU (2)     
Mar 31 13:49:22  Apr  1 13:37:00  afs@ECE.CMU.EDU (3)               

Mar 31 13:49:22  Apr  1 13:36:59  User's (AFS ID 546) tokens for ece.cmu.edu (3)
]2;i386_suse90: tully {allbery:} [~]tully:537 Z$ kkauth
]2;i386_suse90: tully {allbery:} [~]: _my_kauthallbery@ECE.CMU.EDU's Password: 
]1;tully]2;i386_suse90: tully {allbery:} [~]]2;i386_suse90: tully {allbery:} [~]tully:538 Z$ kklist -T -v
]2;i386_suse90: tully {allbery:} [~]: klist -T -vCredentials cache: FILE:/tmp/krb5cc_j18894
        Principal: allbery@ECE.CMU.EDU
    Cache version: 4

Server: krbtgt/ECE.CMU.EDU@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 8
Auth time:  Mar 31 13:50:15 2005
End time:   Apr  1 14:50:15 2005
Renew till: Apr 30 14:50:15 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:128.2.136.132

Server: afs@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 3
Auth time:  Mar 31 13:50:15 2005
End time:   Apr  1 14:50:15 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.132


   V4-ticket file: /tmp/tkt546
        Principal: allbery@ECE.CMU.EDU

  Issued           Expires          Principal (kvno)                
Mar 31 13:50:15  Apr  1 15:16:36  krbtgt.ECE.CMU.EDU@ECE.CMU.EDU (8)

Mar 31 13:50:15  Apr  1 15:16:36  User's (AFS ID 546) tokens for ece.cmu.edu (213)
]2;i386_suse90: tully {allbery:} [~]tully:539 Z$ 
Connection to tully closed.
]1;hilfy]2;sun4x_58: hilfy {allbery} [~]]2;sun4x_58: hilfy {allbery} [~]
3@hilfy:1036 Z$ 

script done on Thu Mar 31 13:50:26 2005