[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ssh linkage madness



I have been hacking heimdal support for ssh and have found two problems:

1. The TGT passing was done before the authentication was attempted (!)
   so the local_subkey was not present which caused Assars recent implementation
   of krb5_fwd_tgt_creds to fail early in the call to krb5_get_forwarded_creds.

   SSH clearly assumes that the underlying stream is already encrypted and
   the MIT code (am I right Ken?) must then returns the credentials un-
   encrypted unless there is a session key to use?!?!?
  
   I just switched them to see if I could get the authentication to work.
   Then I got this:

2. When running under gdb (the lines beginning with "after" are my additions)
   ssh craps out in des_encrypt !

toast.matematik.su.se: Trying Kerberos V5 authentication.
after krb5_cc_get_principal
after krb5_get_credentials
after krb5_auth_con_init
after krb5_auth_con_init, krb5_auth_con_setflags

Program received signal SIGSEGV, Segmentation fault.
des_encrypt (l=1762232685, r=1762130986, output=0x1, ks=0x4007e7f0,
    encrypt=-1073747868) at des.c:445
445       output[0]=l;
(gdb) bt
 #0  des_encrypt (l=1762232685, r=1762130986, output=0x1, ks=0x4007e7f0,
    encrypt=-1073747868) at des.c:445
 #1  0x40075b8a in des_ecb_encrypt (input=0x4007ebe4, output=0xbfffe864,
    ks=0x4007eb64, encrypt=1) at ecb_enc.c:119
 #2  0x40079626 in des_new_random_key (key=0xbfffe864) at rnd_keys.c:418
 #3  0x400796b0 in des_init_random_number_generator (seed=0xbfffe890)
    at rnd_keys.c:450
 #4  0x40079575 in do_initialize () at rnd_keys.c:376
 #5  0x4007960e in des_new_random_key (key=0x8088720) at rnd_keys.c:415
 #6  0x4005bb2d in DES_random_key (key=0x8088714) at encrypt.c:395
 #7  0x4005bc15 in krb5_generate_random_keyblock (context=0x80872d8,
    ktype=KEYTYPE_DES, key=0x8088710) at encrypt.c:451
 #8  0x4005c4e7 in krb5_generate_subkey (context=0x80872d8, key=0x80883d0,
    subkey=0x80886c8) at generate_subkey.c:55
 #9  0x40057f85 in krb5_build_authenticator (context=0x80872d8,
    auth_context=0x8088640, enctype=ETYPE_DES_CBC_MD5, cred=0x80883c8,
    cksum=0x0, auth_result=0x0, result=0xbfffe964) at build_auth.c:79
 #10 0x400624c6 in krb5_mk_req_extended (context=0x80872d8,
    auth_context=0x8077a70, ap_req_options=0, in_data=0x0, in_creds=0x80883c8,
    outbuf=0xbfffe9fc) at mk_req_ext.c:122
 #11 0x804cedf in try_kerberos_authentication () at sshconnect.c:1005
 #12 0x804e03e in ssh_login (state=0x807e720, host_key_valid=0,
    own_host_key=0x807eb80, orighost=0xbffff9b3 "trurl", options=0x807dba0,
    original_real_uid=105) at sshconnect.c:1721
 #13 0x804b7af in main (ac=5, av=0xbffff850) at ssh.c:835
(gdb)                                                                 

A careful inspection of the code shows that in des_new_random_key the
execution path takes a vacation in ssh-land where the des_* functions
from ssh are called instead of those from heimdals libdes, an obviously
doomed situation.

There is a prototype conflict which Assar informs me is due to the fact
that ssh has taken libdes and changed the prototypes wo changing the names.

Could the person who claimed to have gotten the authentication stuff working
(sorry, forgot your name) please say how you got around this problem.  I have 
put my current ssh-heimdal tarball on ftp://ftp.matematik.su.se/pub/leifj/
for reference.

Otherwize one has to go through the ssh code and change the name of every
des-function. Fun!

	Best Regards
	Leif Johansson

Leif Johansson				Phone: +46 8 164541		
Department of Mathematics		Fax  : +46 8 6126717		
Stockholm University 			email: leifj@matematik.su.se 	

    <This space is left blank for quotational and disclamatory purposes.>