Wandering Thoughts archives

2006-06-27

More on the Solaris ssh stuff (part 2)

As an update on the Solaris ssh stuff:

Sun has just today released version 08 of patch 114356, which fixes the 'xmalloc: zero size' problem (charmingly described in the patch README as 'New ssh in Sol. 9 exits if the key fingerprint cannot be found in the known_host files'), but not the problems with mech_krb5.so and the GSS stuff.

This is a good step forward, and it fixes the most important issue, since the xmalloc problem actually makes ssh unusable while the GSS stuff just spews noxious messages. But I remain not very happy with how long it's taken Sun to fix this ssh bug; 114356-07 was released on March 21st, which means it took just over three months. (I can't imagine a Linux distribution letting a trivially reproducible fatal ssh bug sit for three weeks, much less three months.)

Maybe Sun considers ssh an unimportant utility. If so, someone please disabuse them of this notion.

MoreSolarisSshII written at 14:37:48; Add Comment

2006-06-21

More on the Solaris ssh stuff

I discovered today that the unpatched Solaris ssh program doesn't understand the 'GSSAPIKeyExchange' and 'GSSAPIAuthentication' configuration options that are necessary to fix the problem on the patched ssh. (I had them in a $HOME/.ssh/config file that was shared between a patched system and an unpatched system.)

So what appears to have happened is that Sun developed a new version of ssh that implements the GSS stuff, and as a result requires it and the Kerberos stuff to be installed and configured and so on. This is the 'new' ssh included in patch 114356-07 (but not in the -06 version of the same patch) that requires 112908-24 ('SunOS 5.9: krb5, gss Patch').

Later, Sun saw some problems and yanked all mention of current versions of patch 112908 from the patchdiag.xref file, thereby making 114356-07 uninstallable without special magic. However, they did not actually withdraw either 114356-07 or 112908-24 (and in fact 114356-07 remains marked as a recommended patch).

(Some investigation also shows that installing patch 117177 (mentioned in the README for 114356-07) does not help the problem any.)

MoreSolarisSsh written at 00:10:54; Add Comment

2006-06-19

Impending changes to access to Solaris patches

Through the pca news page I found out some impending changes to access to Solaris patches. There are two changes:

  • InfoDoc #83061 says that from mid-July, we'll need to register for a free Sun Online Account in order to get patches.
  • InfoDoc #82023 says that Sun will be turning off anonymous ftp access to patches in late August.

I'm honestly not sure how these two interact, since it's hard to enforce having accounts with anonymous ftp.

However, pca currently retrieves patches (and the patchdiag.xref index file) via http, not anonymous ftp, so it will be affected sooner. (I'm not sure if it'll require a pca update, or if you'll just be able to plug in a Sun Online Account ID and password as if it was a SunSolve one.)

Moral: I should get registered soon and start experimentation, no matter how annoying it's sure to be.

It's somewhat ironic that I just finished writing up what I've worked out about the patchdiag.xref format so I can start using it for nefarious purposes.

PatchAccessChanges written at 16:34:45; Add Comment

2006-06-10

Fixing the bad Solaris ssh patch

It turns out that there are actually three ssh problems introduced by the bad Solaris ssh patch. Since it's been well over a month with no sign or prospect of a fix from Sun, I gave in and applied workarounds. Fortunately, it turns out that all of problems can be made to go away with changes to /etc/ssh/ssh_config.

Ssh problem one is:

$ ssh host
dlopen(/usr/lib/gss/gl/mech_krb5.so): ld.so.1: ssh: fatal: /usr/lib/gss/gl/mech_krb5.so: open failed: No such file or directory

The minimal workaround for this in ssh_config is:

Host *
  GSSAPIKeyExchange no

Ssh problem two is closely related; it is:

$ ssh host
unable to initialize mechanism library [/usr/lib/gss/gl/mech_krb5.so]

This only appears if you have the SUNWkrbu package installed; problem one appears only if you don't. The ssh_config workaround this time is:

Host *
  GSSAPIKeyExchange no
  GSSAPIAuthentication no

Using both options is harmless for the first problem, so you might as well standardize on using both. As far as I know, these don't have any observable side effects if you're not using Kerberos (and if you are, you probably don't have either of these problems).

Ssh problem three is:

$ ssh host
xmalloc: zero size

This turns out to be caused by a bug in handling the 'ask' choice for the StrictHostKeyChecking option (which is the default setting). This means there are two solutions; you can either arrange to have known host keys for all the machines you'll want to talk to, or you can put the minimal workaround in ssh_config:

Host *
  StrictHostKeyChecking no

However, this workaround has a potential drawback: with this option set, new hosts have their host keys automatically added to your $HOME/known_hosts host key list, instead of you being prompted about it. (I'm not convinced that this is a big issue; in practice I always say 'yes' to this question anyways, and I'm already using this setting in some personal configurations.)

So the omnibus set of workarounds in /etc/ssh/ssh_config is:

Host *
  GSSAPIKeyExchange no
  GSSAPIAuthentication no
  StrictHostKeyChecking no

This also works in $HOME/.ssh/config, if you're on a system with this problem where you can't change the system ssh_config for some reason. Remember to add a cheery comment about why these options are set, so that in later months (or years) you can remember why they're there.

FixingSolarisSsh written at 01:39:31; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.