GSS support for LSH


Overview

This page contains information about a modified version of lsh that add support for GSS user authentication according to draft-ietf-secsh-gsskeyex-06.txt using GSSLib, or the GSS libraries from Heimdal or MIT Kerberos.

Status

Known problems

Future goals

The Patch

Download it from http://josefsson.org/gss/gss-lsh.patch.

Download

Complete snapshots are distributed from ftp://alpha.gnu.org/gnu/gss/.

The patched LSH source code is maintained in a CVS repository, available from http://savannah.gnu.org/cgi-bin/viewcvs/gss/lsh-gss/.

Instructions

Install either Shishi 0.0.1 and GSSLib 0.0.4, or Heimdal, or MIT Kerberos 5. Then install lsh from the snapshots above, or the pre-patched CVS above, or upstream CVS and apply the patch manually. Configure will pick up GSS automatically if you have it installed. If you want to use Heimdal or MIT, you must specify --enable-gss=k5.

You can then try it like the following. As the client I was able to use, besides LSH itself, OpenSSH 3.6.1p2 with patches, linked against MIT Kerberos 5.

For some reason, I'm unable to get the known_host stuff to work in LSH, so I need sloppy host key and type yes every time. This is unrelated to the GSS patches, it happens with unmodified LSH from CVS too. Someone else is encouraged to look into that problem.

Debian users! The GSS patched OpenSSH in the "ssh-krb5" package does not work. It probably implement an older version of the draft.

Remember that the hostkey file, i.e. typically $prefix/etc/shishi.keys (GSS/Shishi) or $prefix/etc/krb5.keytab (MIT Kerberos 5 and Heimdal), must be readable by the user invoking lshd. Also remember that the user invoking lsh must have tickets, as acquired by running "shishi" or "kauth".

jas@latte:~/src/lsh/src$ make lshd&&./lshd --port 4711 --verbose
make: `lshd' is up to date.
lshd: Accepting connection from 192.168.1.10, port 34979
lshd: Initiating handshake with 192.168.1.10
lshd: garbage collecting...
lshd: Objects alive: 90, garbage collected: 13
lshd: Client version: SSH-2.0-OpenSSH_3.6.1p2
Server version: SSH-2.0-lshd_1.5.2 lsh - a free ssh
lshd: Received KEXINIT message. Key exchange initated.
lshd: Selected keyexchange algorithm: diffie-hellman-group1-sha1
  with hostkey algorithm:       ssh-dss
lshd: Selected bulk algorithms: (client to server, server to client)
  Encryption:             (3des-cbc, 3des-cbc)
  Message authentication: (hmac-md5, hmac-md5)
  Compression:            (none, none)
lshd: Received NEWKEYS. Key exchange finished.
lshd: Setting session key lifetime to 5400 seconds
lshd: Client requests 1 GSS mechanism(s).
lshd: Acquiring GSS credentials for GSS mechanism 2a864886f712010202 (0).
lshd: Ready to continue with mechanism 06092a864886f712010202 (0).
lshd: Received GSS token.
lshd: Preparing to finish GSS authentication.
lshd: Sending GSS token.
lshd: Finishing GSS.
lshd: GSS user jas@JOSEFSSON.ORG authorized to log on as jas.
lshd: Allocated local channel number 0
lshd: Registering local channel 0.
lshd: Taking channel 0 in use, (local 0).
lshd: Client requesting a tty...
lshd:  granted.
lshd: Updating utmp for login failed (errno = 9): Bad file descriptor
...
lshd: Child 30550 died with exit code 0.
lshd: Updating utmpx for logout failed (errno = 9): Bad file descriptor
lshd: server_session.c: Sending exit-status message on channel 0
lshd: Sending EOF on channel 0
lshd: Sending CLOSE on channel 0
lshd: Receiving CLOSE on channel 0 (local 0)
lshd: write_buffer: Attempt to write data to closed buffer.
lshd: Deallocating local channel 0
lshd: Connection died.

jas@latte:~/src/lsh/src$ ./lsh -p 4711 -v latte.josefsson.org --sloppy-host-authentication --verbose
lsh: Enabling default escape character `~'
lsh: You have an old known-hosts file `/home/jas/.lsh/host-acls'.
To work with lsh-2.0, run the lsh-upgrade script,
which will convert that to a new host-acls file.
lsh: Failed to open `/home/jas/.lsh/host-acls' for reading (errno = 2): No such file or directory
lsh: Failed to open `/home/jas/.lsh/identity' for reading (errno = 2): No such file or directory
lsh: Client version: SSH-2.0-lsh_1.5.2 lsh - a free ssh
Server version: SSH-2.0-lshd_1.5.2 lsh - a free ssh
lsh: Received KEXINIT message. Key exchange initated.
lsh: Selected keyexchange algorithm: diffie-hellman-group1-sha1
  with hostkey algorithm:       ssh-dss
lsh: Selected bulk algorithms: (client to server, server to client)
  Encryption:             (aes256-cbc, aes256-cbc)
  Message authentication: (hmac-sha1, hmac-sha1)
  Compression:            (none, none)
lsh: garbage collecting...
lsh: Objects alive: 96, garbage collected: 22
lsh: SPKI authorization failed.
Received unauthenticated key for host latte.josefsson.org
Key details:
Bubble Babble: xegib-lalez-racet-bufez-nedik-gehen-mokiv-beluf-laziv-fedyp-koxoxFingerprint:   8f:f0:38:7e:63:2c:cc:1e:41:1e:32:e9:6d:fa:5b:a8
Do you trust this key? (y/n) y
lsh: Received NEWKEYS. Key exchange finished.
lsh: Setting session key lifetime to 2400 seconds
lsh: Requesting authentication using the `none' method.
lsh: Sending list of GSS mechanisms we support.
lsh: Sending initial GSS token.
lsh: Sending GSS token.
lsh: GSS authentication done.
lsh: User authentication successful.
lsh: Allocated local channel number 0
lsh: Registering local channel 0.
lsh: Taking channel 0 in use, (local 0).
lsh: Requesting a remote pty.
lsh: pty request succeeded
jas@latte:~$
lsh: Connection died.
jas@latte:~/src/lsh/src$


$Id: gss-lsh.html,v 1.28 2008/08/20 13:29:34 jas Exp $