This page contains information about a modified version of lsh that add support for GSS user authentication according to draft-ietf-secsh-gsskeyex-06.txt using GSSLib, or the GSS libraries from Heimdal or MIT Kerberos.
Download it from http://josefsson.org/gss/gss-lsh.patch.
Complete snapshots are distributed from ftp://alpha.gnu.org/gnu/gss/.
The patched LSH source code is maintained in a CVS repository, available from http://savannah.gnu.org/cgi-bin/viewcvs/gss/lsh-gss/.
Install either Shishi 0.0.1 and GSSLib 0.0.4, or Heimdal, or
MIT Kerberos 5. Then install lsh from the snapshots above, or the
pre-patched CVS above, or upstream CVS and apply the patch
manually. Configure will pick up GSS automatically if you have it
installed. If you want to use Heimdal or MIT, you must
You can then try it like the following. As the client I was able to use, besides LSH itself, OpenSSH 3.6.1p2 with patches, linked against MIT Kerberos 5.
For some reason, I'm unable to get the known_host stuff to work in LSH, so I need sloppy host key and type yes every time. This is unrelated to the GSS patches, it happens with unmodified LSH from CVS too. Someone else is encouraged to look into that problem.
Debian users! The GSS patched OpenSSH in the "ssh-krb5" package does not work. It probably implement an older version of the draft.
Remember that the hostkey file, i.e. typically $prefix/etc/shishi.keys (GSS/Shishi) or $prefix/etc/krb5.keytab (MIT Kerberos 5 and Heimdal), must be readable by the user invoking lshd. Also remember that the user invoking lsh must have tickets, as acquired by running "shishi" or "kauth".
jas@latte:~/src/lsh/src$ make lshd&&./lshd --port 4711 --verbose make: `lshd' is up to date. lshd: Accepting connection from 192.168.1.10, port 34979 lshd: Initiating handshake with 192.168.1.10 lshd: garbage collecting... lshd: Objects alive: 90, garbage collected: 13 lshd: Client version: SSH-2.0-OpenSSH_3.6.1p2 Server version: SSH-2.0-lshd_1.5.2 lsh - a free ssh lshd: Received KEXINIT message. Key exchange initated. lshd: Selected keyexchange algorithm: diffie-hellman-group1-sha1 with hostkey algorithm: ssh-dss lshd: Selected bulk algorithms: (client to server, server to client) Encryption: (3des-cbc, 3des-cbc) Message authentication: (hmac-md5, hmac-md5) Compression: (none, none) lshd: Received NEWKEYS. Key exchange finished. lshd: Setting session key lifetime to 5400 seconds lshd: Client requests 1 GSS mechanism(s). lshd: Acquiring GSS credentials for GSS mechanism 2a864886f712010202 (0). lshd: Ready to continue with mechanism 06092a864886f712010202 (0). lshd: Received GSS token. lshd: Preparing to finish GSS authentication. lshd: Sending GSS token. lshd: Finishing GSS. lshd: GSS user jas@JOSEFSSON.ORG authorized to log on as jas. lshd: Allocated local channel number 0 lshd: Registering local channel 0. lshd: Taking channel 0 in use, (local 0). lshd: Client requesting a tty... lshd: granted. lshd: Updating utmp for login failed (errno = 9): Bad file descriptor ... lshd: Child 30550 died with exit code 0. lshd: Updating utmpx for logout failed (errno = 9): Bad file descriptor lshd: server_session.c: Sending exit-status message on channel 0 lshd: Sending EOF on channel 0 lshd: Sending CLOSE on channel 0 lshd: Receiving CLOSE on channel 0 (local 0) lshd: write_buffer: Attempt to write data to closed buffer. lshd: Deallocating local channel 0 lshd: Connection died.
jas@latte:~/src/lsh/src$ ./lsh -p 4711 -v latte.josefsson.org --sloppy-host-authentication --verbose lsh: Enabling default escape character `~' lsh: You have an old known-hosts file `/home/jas/.lsh/host-acls'. To work with lsh-2.0, run the lsh-upgrade script, which will convert that to a new host-acls file. lsh: Failed to open `/home/jas/.lsh/host-acls' for reading (errno = 2): No such file or directory lsh: Failed to open `/home/jas/.lsh/identity' for reading (errno = 2): No such file or directory lsh: Client version: SSH-2.0-lsh_1.5.2 lsh - a free ssh Server version: SSH-2.0-lshd_1.5.2 lsh - a free ssh lsh: Received KEXINIT message. Key exchange initated. lsh: Selected keyexchange algorithm: diffie-hellman-group1-sha1 with hostkey algorithm: ssh-dss lsh: Selected bulk algorithms: (client to server, server to client) Encryption: (aes256-cbc, aes256-cbc) Message authentication: (hmac-sha1, hmac-sha1) Compression: (none, none) lsh: garbage collecting... lsh: Objects alive: 96, garbage collected: 22 lsh: SPKI authorization failed. Received unauthenticated key for host latte.josefsson.org Key details: Bubble Babble: xegib-lalez-racet-bufez-nedik-gehen-mokiv-beluf-laziv-fedyp-koxoxFingerprint: 8f:f0:38:7e:63:2c:cc:1e:41:1e:32:e9:6d:fa:5b:a8 Do you trust this key? (y/n) y lsh: Received NEWKEYS. Key exchange finished. lsh: Setting session key lifetime to 2400 seconds lsh: Requesting authentication using the `none' method. lsh: Sending list of GSS mechanisms we support. lsh: Sending initial GSS token. lsh: Sending GSS token. lsh: GSS authentication done. lsh: User authentication successful. lsh: Allocated local channel number 0 lsh: Registering local channel 0. lsh: Taking channel 0 in use, (local 0). lsh: Requesting a remote pty. lsh: pty request succeeded jas@latte:~$ lsh: Connection died. jas@latte:~/src/lsh/src$
$Id: gss-lsh.html,v 1.28 2008/08/20 13:29:34 jas Exp $