From owner-freebsd-current@FreeBSD.ORG Sun Jul 1 19:16:59 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD4A016A469 for ; Sun, 1 Jul 2007 19:16:59 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 5CE3A13C43E for ; Sun, 1 Jul 2007 19:16:59 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id l61IciA2088434 for ; Sun, 1 Jul 2007 11:38:44 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id l61IciVl088433 for current@freebsd.org; Sun, 1 Jul 2007 11:38:44 -0700 (PDT) (envelope-from david) Date: Sun, 1 Jul 2007 11:38:44 -0700 From: David Wolfskill To: current@freebsd.org Message-ID: <20070701183844.GA87424@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , current@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Cc: Subject: ssh coredump if gssapi-with-mic preferred, but no kinit done (yet)? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2007 19:16:59 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Although I track CURRENT daily on my laptop, I hadn't run into this issue, as I don't use KErberos on the laptop. I try to track CURRENT on a weekly basis for my work desktop, where I do use Kerberos. (I ran out of time last Sunday, because I also update ports, and OpenOffice took quite a while.) Thus, I believe that what caused this would have been committed on or after 24 June, which is when I built CURRENT previously on the machine. Although I tend to use public key authentication (for ssh), we have a requirement at work that certain machines need to be accessible via ssh once the requstor has authenticated via Kerberos. Thus, while the machines in question will accept (and in some cases, are configured to prefer) gssapi-with-mic authentication, I'm in the habit of ignoring that and using the public-key authentication that I'm already set up to use. So after building & booting today's CURRENT on the machine: catmint(7.0-C)[1] uname -a FreeBSD catmint.mail-abuse.org 7.0-CURRENT FreeBSD 7.0-CURRENT #88: Sun Jul= 1 10:30:56 PDT 2007 root@catmint.mail-abuse.org:/common/S4/obj/usr/sr= c/sys/CATMINT i386 catmint(7.0-C)[2]=20 I wanted to do a reality check on a different machine: catmint(7.0-C)[4] ssh -x repo df / Segmentation fault (core dumped) catmint(7.0-C)[5]=20 Huh? OK; a little more detail: catmint(7.0-C)[8] ssh -vvv -x repo OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /home/dhw/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to repo.mail-abuse.org [168.61.10.54] port 22. debug1: Connection established. debug1: identity file /home/dhw/.ssh/identity type 0 debug3: Not a RSA1 key file /home/dhw/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/dhw/.ssh/id_rsa type 1 debug3: Not a RSA1 key file /home/dhw/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/dhw/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5p1 = FreeBSD-20061110 debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hell= man-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-s= ha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arc= four128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.s= e,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arc= four128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.s= e,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160= @openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160= @openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit:=20 debug2: kex_parse_kexinit:=20 debug2: kex_parse_kexinit: first_kex_follows 0=20 debug2: kex_parse_kexinit: reserved 0=20 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hell= man-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-s= ha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arc= four128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.s= e,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arc= four128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.s= e,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160= @openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160= @openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit:=20 debug2: kex_parse_kexinit:=20 debug2: kex_parse_kexinit: first_kex_follows 0=20 debug2: kex_parse_kexinit: reserved 0=20 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 127/256 debug2: bits set: 506/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/dhw/.ssh/known_hosts debug3: check_host_in_hostfile: match line 82 debug1: Host 'repo.mail-abuse.org' is known and matches the DSA host key. debug1: Found key in /home/dhw/.ssh/known_hosts:82 debug2: bits set: 528/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/david/.ssh/id_rsa (0x28434e20) debug2: key: /home/david/.ssh/id_dsa (0x28434e30) debug2: key: /home/dhw/.ssh/id_rsa (0x28434d20) debug2: key: /home/dhw/.ssh/id_dsa (0x28434d30) debug1: Authentications that can continue: publickey,gssapi-with-mic debug3: start over, passed a different list publickey,gssapi-with-mic debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic Segmentation fault (core dumped) catmint(7.0-C)[9]=20 Hmmm.... kinky.... OK; how about this: catmint(7.0-C)[10] kinit dhw@MAIL-ABUSE.ORG's Password:=20 kinit: NOTICE: ticket renewable lifetime is 0 catmint(7.0-C)[11] ssh -x repo uname -a FreeBSD repo.mail-abuse.org 6.2-STABLE FreeBSD 6.2-STABLE #61: Sun Jul 1 0= 6:28:55 PDT 2007 dhw@repo.mail-abuse.org:/usr/obj/usr/src/sys/SMP_PAE = i386 catmint(7.0-C)[12]=20 As a further reality check, I booted back to STABLE & tried the ssh again: catmint(6.2-S)[1] uname -a FreeBSD catmint.mail-abuse.org 6.2-STABLE FreeBSD 6.2-STABLE #30: Sun Jul = 1 07:05:51 PDT 2007 root@catmint.mail-abuse.org:/common/S1/obj/usr/src/= sys/CATMINT i386 catmint(6.2-S)[2] ssh -x repo uname -a FreeBSD repo.mail-abuse.org 6.2-STABLE FreeBSD 6.2-STABLE #61: Sun Jul 1 0= 6:28:55 PDT 2007 dhw@repo.mail-abuse.org:/usr/obj/usr/src/sys/SMP_PAE = i386 catmint(6.2-S)[3] uptime 11:33AM up 2 mins, 2 users, load averages: 0.35, 0.23, 0.09 catmint(6.2-S)[4]=20 I'm willing to try some things on the machine to help diagnose the problem(s) under CURRENT, but there are some things I'd like to do with it (that will take a few hours,such as a "make release") that I'd much rather do while it's running STABLE. And Sundays are about the only days I can really count on being able to do anything with CURRENT on the machine. (I'm in US/PAcific time zone.) So: clues? Would building a debugging version of ssh be a reasonable step? Peace, david --=20 David H. Wolfskill david@catwhisker.org Anything and everything is a (potential) cat toy. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkaH9LMACgkQmprOCmdXAD1tLACZAcQTTBhE921+W6+EEXUm/CTT FV4An1BtuNUMf1FevTgf8JVQ1AW9Hcj6 =lwOy -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--