woensdag 20 mei 2009

OpenSSH : Kerberos user principal name incorrect on AIX

Introduction:
Currently, it is observed that password based Kerberos authentication in OpenSSH does not function properly on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5/KRB5A load module), OpenSSH cannot.

Impacted:
- OpenSSH <= 5.2p1

Details:
This issue is caused by the fact that an AIX user has two attributes which OpenSSH doesn't take into account when forming the principal name of the user (attributes auth_name and auth_domain). If AIX user, myuser, has the attributes auth_name=someone and auth_domain=SOMEWHERE, then the Kerberos principal name would be someone@SOMEWHERE instead of myuser@DEFAULTREALM. By employing the auth_domain attribute, requests are sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file.

The following can be seen in the OpenSSH code (auth-krb5.c on line 88):

problem = krb5_parse_name(authctxt->krb5_ctx,authctxt->pw->pw_name,&authctxt->krb5_user);

Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the overwritten auth_domain is the correct one), Kerberos authentication will fail. If the auth_domain attribute is not set, the default realm name will be used.

Resolution:
- Bugzilla item # 1583 was created to address this issue. The item contains a patch to the source which solves the issue.

woensdag 6 mei 2009

Samba : DFS does not work on AIX

Introduction:
Currently, there is a minor bug in Samba which makes DFS unusable on AIX.

Impacted:
- Samba <= 3.3.4

Details:
The issue is caused by the behaviour of the readlink system call on AIX. If the size of the buffer cannot contain the entire symbolic link, the ERANGE error is returned. Other UNIX and Linux distributions will never return an error if the size of the buffer is too small. Instead, only a part of the symbolic link will be written in the buffer.

In msdfs.c, the character array 'link_target_buf' is defined with size 7 (size of "msdfs:" + 1). Since the DFS link is larger than that, the readlink system call on AIX returns ERANGE. In order to resolve this issue, the array should be of size PATH_MAX (defined in /usr/include/sys/limits.h).

A proposed patch looks like:

--- msdfs.c 2009-05-06 08:36:00.000000000 +0200
+++ msdfs.new.c 2009-05-06 08:36:44.000000000 +0200
@@ -400,11 +400,15 @@
      char **pp_link_target,
      SMB_STRUCT_STAT *sbufp)
 {
   SMB_STRUCT_STAT st;
   int referral_len = 0;
+#ifdef AIX
+  char link_target_buf[PATH_MAX];
+#else
   char link_target_buf[7];
+#endif
   size_t bufsize = 0;
   char *link_target = NULL;

   if (pp_link_target) {
      bufsize = 1024;


Resolution:
- Bugzilla item # 6330 was created to address this issue.

zondag 3 mei 2009

OpenSSH : Server option PrintLastLog does not work on AIX

Introduction:
Currently, the OpenSSH server option "PrintLastLog" does not work on AIX. The last login time is always displayed, disregarding the option.

Impacted:
- OpenSSH <= 5.2p1

Details:
When browsing the source, several functions in loginrec.c were found which solely handle the processing of the last login info (login_get_lastlog, getlast_entry).
Since AIX does not provide such a function natively, the configure script sets the DISABLE_LASTLOG define. A small code snippet from getlast_entry in loginrec.c shows this:

#if defined(DISABLE_LASTLOG)
   /* On some systems we shouldn't even try to obtain last login
    * time, e.g. AIX */
   return (0);


On the other hand, when issuing the AIX loginsuccess() call (which writes a new login record), the last login record can be retrieved by that very same call.
Looking at port-aix.c, the following can be seen:

if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
   success = 1;
   if (msg != NULL && loginmsg != NULL && !msg_done) {
      debug("AIX/loginsuccess: msg %s", msg);
      buffer_append(loginmsg, msg, strlen(msg));
      xfree(msg);
      msg_done = 1;
   }
}


Pointer "msg" points to the new last login info for the user and it always appended to the loginmsg buffer. The buffer_append call should only be called if options.print_lastlog is set.

Resolution:
- Bugzilla item # 1595 was created to address this issue. The item contains patches to the source which solve the issue.