Originally posted by: SystemAdmin

Why is sshd failing to reverse lookup a host that I can lookup in both /etc/hosts and via DNS with short hostname, fully qualified hostname, and IP address?

I am running on the sshd server as follows.

In one window...

host1 # /usr/sbin/sshd -ddd -p7777

debug3: Trying to reverse map address <address here>...
reverse mapping checking getaddrinfo for host1 <address here> failed - POSSIBLE BREAK-IN ATTEMPT!
In another window...

host1 % ssh -vvv -p7777 host1

I am able to login successfully with my password; however, I cannot get KRB5 ticket forwarding to work. I suspect that this could be due to the host lookup problem. After I login via ssh, I can klist successfully; however, I cannot login w/o my password once I have KRB5 creds. Perhaps the processing of the krb5.keytab file is stepping on the same host lookup problem. I have verified that the krb5.keytab works from host1 when root attempts to kinit through it.

I am using KRB5LDAP (kerberos for authentication and ldap for authorization).

I have the following filesets installed.

krb5.client.rte 1.4.0.5 COMMITTED Network Authentication Service
krb5.client.samples 1.4.0.5 COMMITTED Network Authentication Service
krb5.doc.en_US.html 1.4.0.5 COMMITTED Network Auth Service HTML
krb5.doc.en_US.pdf 1.4.0.5 COMMITTED Network Auth Service PDF
krb5.lic 1.4.0.5 COMMITTED Network Authentication Service
krb5.msg.en_US.client.rte 1.4.0.5 COMMITTED Network Auth Service Client
openssh.base.client 4.5.0.5302 COMMITTED Open Secure Shell Commands
openssh.base.server 4.5.0.5302 COMMITTED Open Secure Shell Server
openssh.license 4.5.0.5302 COMMITTED Open Secure Shell License
openssh.man.en_US 4.5.0.5302 COMMITTED Open Secure Shell
openssh.msg.en_US 4.5.0.5302 COMMITTED Open Secure Shell Messages -
krb5.client.rte 1.4.0.5 COMMITTED Network Authentication Service
openssh.base.client 4.5.0.5302 COMMITTED Open Secure Shell Commands
openssh.base.server 4.5.0.5302 COMMITTED Open Secure Shell Server
Any idea why the host reverse lookup is failing?

Any idea why KRB5 ticket forwarding is not working?

Thanks
#AIX-Forum

Originally posted by: SystemAdmin

Has anybody seen this behavior before? Where reverse host lookups fail for openssh; yet, nslookup and /etc/hosts both resolve the hostname and IP address?
#AIX-Forum

Originally posted by: j.gann

I have seen exactly this with a recent release of openssh 4.5 or 4.6 from the sourceforge site. Check for a fresh copy there but note that new (fixed) releases from there often come with the very same name and version number.

Message was edited by: j.gann
#AIX-Forum

Originally posted by: SystemAdmin

This is in fact the latest SourceForge.net build of OpenSSH for AIX, which is what IBM instructs you to get. I figured it was a bug and decided to download and build the latest OpenSSH from OpenSSH.org; unfortunately, the latest openssl from IBM doesn't include the header files, making it more difficult to build OpenSSH.

I may have to download openssl, krb5, etc, and build them all - ugh.

I tried AIX's telnet command for single-sign-on and got krb5 forwardable creds, yet single-sign-on still doesn't work!
#AIX-Forum

Originally posted by: SystemAdmin

I guess I said that wrong. IBM's openssl comes with header files, but the /usr/include/openssl/opensslv.h that comes with openssl.base 0.9.8.4 says it's version "OpenSSL 0.9.7g 11 Apr 2005". The OpenSSH build barfs on this because the header file and library version numbers do not match.
#AIX-Forum

Originally posted by: SystemAdmin

Does anyone from IBM know that the openssl from IBM's web download site has a version mismatch and is therefore BROKEN in terms of being able to build off of it?

% lslpp -f openssl.base
Fileset File
<hr />
Path: /usr/lib/objrepos
openssl.base 0.9.8.4 /usr/include/openssl/hmac.h
...
/usr/include/openssl/opensslv.h
...

% grep OPENSSL_VERSION_TEXT /usr/include/openssl/opensslv.h
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g-fips 11 Apr 2005"
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g 11 Apr 2005"

And the ssl library that comes with it says " OpenSSL 0.9.8d 28 Sep 2006

Can someone at IBM verify/acknowledge this and fix it???
#AIX-Forum

Originally posted by: SystemAdmin

The new AIX version of openssh just released this week on sourceforge.net fixes the problems with reverse host lookups and krb5 ticket forwarding.

Yea!
#AIX-Forum

Originally posted by: SystemAdmin

when i tried to install this ( openssh.base.server 4.7) , it is looking for another
version of openssl - openssl.base 0.9.8.600

(see this thread http://www-128.ibm.com/developerworks/forums/thread.jspa?threadID=206405&tstart=0 )
#AIX-Forum

Originally posted by: SystemAdmin

The new openssl for AIX is available at IBM's AIX Web Download Pack Programs page.

https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&S_PKG=openssl&lang=en_US&dlmethod=http
#AIX-Forum

Originally posted by: SystemAdmin

Sorry for the bad link...

The new openssl for AIX is available at IBM's AIX Web Download Pack Programs page.

http://www-03.ibm.com/systems/p/os/aix/expansionpack/index.html

Click on Downloads, then OpenSSL 0.9.8.4, which will take you to a page that has openssl.9.8.600.tar.Z (6476619).
#AIX-Forum