LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 10-21-2013, 09:39 PM   #1
ddmayne
LQ Newbie
 
Registered: Sep 2012
Posts: 3

Rep: Reputation: Disabled
small glitch with sshd_config slackware 14.1 RC1 RC2


I have been recompiling openssh to allow Active Directory/kerberos based logins. This depends on having kerberos installed. This is not a standard Slackware setup, so take this for what it is worth.

I have been preparing a baseline setup to test Slackware 14.1. I ran into a an issue that was preventing an Active Directory user from logging in, but not a local user with either a key or a password.

The solution appears to involve toggling a sshd_config parameter to use a non-default value:
UsePrivilegeSeparation yes
The default using "sandbox" fails the login for some reason. For comparison the default configuration works on a similar Slackware 14.0 box. This works fine there:
UsePrivilegeSeparation sandbox
The difference in packages are summarized below.

Slackware Version openssh priv sep krb5 from MIT
14.0 6.1p1 sandbox 1.9.5
14.1 RC2 6.3p1 yes 1.10.6
 
Old 10-22-2013, 12:09 AM   #2
mancha
Member
 
Registered: Aug 2012
Posts: 244

Rep: Reputation: Disabled
You have too many variables right now.

I suggest you compile 6.1p1 and 1.9.5 on 14RC2 and test the 3 remaining combos:

(a) 6.3p1 & 1.9.5
(b) 6.1p1 & 1.10.6
(c) 6.1p1 & 1.9.5

If the problem remains in (c) then it's something other than OpenSSH/Kerberos. If only one of (a) or (b) solves then the one you downgraded
would appear to be the culprit. If either (a) or (b) solve then it's an interaction between 6.3p1 and 1.10.6 that is the problem.

Also, I'd shut down the server "/etc/rc.d/rc.sshd stop" and restart in a terminal in debug mode with "/usr/sbin/sshd -d".

Watch that terminal for clues while the client tries to connect.

--mancha
 
Old 10-22-2013, 08:14 PM   #3
ddmayne
LQ Newbie
 
Registered: Sep 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
More Tests

test openssh krb5 UsePrivilegeSeparation Result of Test
1 6.1p1 1.10.6 sandbox fail
2 6.1p1 1.10.6 yes success
3 6.1p1 1.9.5 sandbox fail
4 6.1p1 1.9.5 yes success
5 6.3p1 1.9.5 sandbox fail
6 6.3p1 1.9.5 yes success
7 6.3p1 1.10.6 sandbox fail
8 6.3p1 1.10.6 yes success

result of tests running sshd from command line

Last edited by ddmayne; 10-22-2013 at 08:39 PM. Reason: update link to compressed tar
 
Old 10-23-2013, 10:39 AM   #4
mancha
Member
 
Registered: Aug 2012
Posts: 244

Rep: Reputation: Disabled
Your test #3 is what I referred to as (c) in my post and shows your issue is not related to the OpenSSH upgrades from 14.0 to RC1/2.

Some GSSAPI component is invoking a seccomp-disallowed syscall. Until Kerberos and OpenSSH figure this out it appears you won't be able to use seccomp to sandbox the pre-authentication unprivileged process when using Kerberos. So, either relax pre-authentication sandboxing with "UsePrivilegeSeparation yes" as you've done or try building OpenSSH with the rlimit pseudo-sandbox instead (though this results in a larger attack surface).

Why does 6.1p1+1.9.5 work with pre-authentication sandboxing on your 14.0 machine? Is OpenSSH not using seccomp in that case? I'd be curious to see a similar server log for the successful connection on 14.0.

--mancha

Last edited by mancha; 10-23-2013 at 12:07 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
We will call this update Slackware 13.1 RC1, Now RC2 onebuck Slackware 105 05-22-2010 04:35 AM
LXer: Linux, 2.6.23-rc2,"-rc2 is the new -rc1" LXer Syndicated Linux News 0 08-04-2007 07:31 PM
Rc1/rc2?? gamfa Grafpup 2 05-31-2007 03:20 PM
RC2 Delta ISO's - How to update from RC1 1kyle Suse/Novell 0 04-22-2006 03:36 AM
Kernel: Can't apply patch 2.6.8-rc2 to a 2.6.8-rc1 thorax Linux - Software 1 07-18-2004 03:20 PM


All times are GMT -5. The time now is 08:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration