SSH problems under Mac OS X and Linux

On August 1st (2006), a security update to Mac OS X 10.4.7 broke SSH connectivity to many Fermilab systems.  This was a result of Apple's updating SSH to a new version that is unfortunately incompatible with the release of OpenSSH in use on many Fermilab servers. This has recurred with the recent (March 13th 2007) release of Mac OS X 10.4.9 which upgraded SSH again. This same incompatibility also affects users of Scientific Linux (not SLF) 4.x as SL 4 includes a newer version of OpenSSH.  The problem is an incompatiblity between the Kerberos/GSSAPI authentication methods between the older and newer versions of OpenSSH. Prior to OpenSSH 3.5, Kerberized SSH used the GSSAPI authentication method.  As of OpenSSH 3.5, this was replaced with the GSSAPI-with-MIC authentication method which is incompatible with the older releases.  This incompatibility extends into the 4.x releases of OpenSSH now common on Mac OS  X.

We expect this to be solved shortly by a new release of Fermi Kerberos coupled with a new release of OpenSSH for Scientific Linux Fermi. In the meantime, the workaround for this Mac OS X problem is to re-install the old SSH client (but do replace the new SSH). Tarballs with these old SSH versions can be found on the Security Tools page. Once you have downloaded and unpacked the tarball, move the new version out of the way, copy the old version in place, change the ownership of the old version to match that of the new version and create a symbolic link to the old version:

sudo mv  /usr/bin/ssh  /usr/sbin/ssh.new
sudo  mv  <path>/ssh.old  /usr/bin/
sudo  chown  root:wheel  /usr/bin/ssh.old
ln -s  /usr/bin/ssh.old  /usr/bin/ssh

A new release of Fermi Kerberos is being tested which is needed to support the newer releases of OpenSSH.  In addition, work is on-going to build a release of OpenSSH for Scientific Linux which supports both the old and new GSSAPI authentication methods. This version of OpenSSH (both client and server) is expected to replace the OpenSSH currently supported on SLF 3.x and 4.x.

As of August 31st, new OpenSSH packages are available for Scientific Linux Fermi in the fermi-testing area.
  • fermi-kerberos is the regular Kerberos (same as in Scientific Linux) but with Cryptocard changes.
  • krb5.conf is an updated Kerberos configuration file needed for the new Kerberos version and with default settings for the new PAM  module.
  • pam_krb5 does PAM module Kerberos and Cryptocard. It includes statically linked libraries so it is compatible with different distributions.
  • openssh starts with the regular OpenSSH version from Scientific Linux which has been patched to work with the current OpensSSH versions in use in SLF 3.0.x and 4.x so it can talk to both the older Kerberized OpenSSH (gssapi method) and the newer Kerberized OpenSSH (gssapi-with-mic method and the cause of the above Mac OS X and SL 4 problems).
  • zz_sshd_aklog, zz_sshd_nonkerberized and zz_sshd_pam supporting RPMs.

To install these test versions with YUM:
  • SLF 3.0.x
     yum -c /etc/yum.conf.contrib update openssh\*
     yum -c /etc/yum.conf.contrib update krb5-fermi-config
     yum -c /etc/yum.conf.contrib update zz\*
  • SLF 4.x
     yum --enablerepo=fermi-testing update openssh\*
     yum --enablerepo=fermi-testing update krb5-fermi-config
     yum --enablerepo=fermi-testing update zz\*
     

FTP method:

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on April 3, 2007.
(Address comments about page to the Computer Security Team.)