Date: Sun, 17 Dec 2006 13:25:47 -0600 From: Quincey Koziol <koziol@hdfgroup.org> To: freebsd-security@freebsd.org Cc: Boris Samorodov <bsam@ipt.ru> Subject: Re: Problems using gssapi authentication from FreeBSD to Linux machines Message-ID: <FC7EB8AB-9DB4-4DEC-BD13-DF85AFC05C49@hdfgroup.org> In-Reply-To: <48779656@srv.sem.ipt.ru> References: <5C883CE5-2A0A-4D7D-BE47-5B4EEFED18B1@hdfgroup.org> <48779656@srv.sem.ipt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-1--902213132
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
On Dec 15, 2006, at 1:52 AM, Boris Samorodov wrote:
> On Thu, 14 Dec 2006 23:34:17 -0600 Quincey Koziol wrote:
>
>> Hi all,
>> I'm really struggling with getting Kerberos authentication to
>> work between a FreeBSD host and a Linux host. I'm using the latest
>> 6-
>> STABLE code on the FreeBSD box, I've got forwardable Kerberos tokens
>> (verified with "klist -f") and Kerberos and ssh are working fine in
>> all other ways, but I can't get the Linux box to accept the Kerberos
>> ticket as authentication from the FreeBSD machine. The Linux box
>> accepts Kerberos credentials from other Linux machines and I can use
>> ssh on the FreeBSD machine to connect to itself with Kerberos
>> credentials (i.e. not required to type my password). This leads me
>> to believe that either the protocol for forwarding the Kerberos
>> credentials is different between the two machines or there's another
>> minor tweak I need to make to the ssh_config file on the FreeBSD
>> machine. One other difference is that the Linux box is running
>> OpenSSH 3.9p1 and the FreeBSD box is running OpenSSH 4.5p1.
>
> This difference should not be a problem.
>
>> Here's my ssh_config from the FreeBSD machine:
>
>> # $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
>> # $FreeBSD: src/crypto/openssh/ssh_config,v 1.27.2.4 2006/11/11
>> 00:51:28 des Exp $
>
>> # This is the ssh client system-wide configuration file. See
>> # ssh_config(5) for more information. This file provides defaults
>> for
>> # users, and the values can be changed in per-user configuration
>> files
>> # or on the command line.
>
>> # Configuration data is parsed as follows:
>> # 1. command line options
>> # 2. user-specific file
>> # 3. system-wide file
>> # Any configuration value is only changed the first time it is set.
>> # Thus, host-specific definitions should be at the beginning of the
>> # configuration file, and defaults at the end.
>
>> # Site-wide defaults for some commonly used options. For a
>> comprehensive
>> # list of available options, their meanings and defaults, please
>> see the
>> # ssh_config(5) man page.
>
>> # Host *
>> # ForwardAgent no
>> # ForwardX11 no
>> # RhostsRSAAuthentication no
>> # RSAAuthentication yes
>> # PasswordAuthentication yes
>> # HostbasedAuthentication no
>> # GSSAPIAuthentication no
>> # GSSAPIDelegateCredentials no
>> # BatchMode no
>> # CheckHostIP no
>> # AddressFamily any
>> # ConnectTimeout 0
>> # StrictHostKeyChecking ask
>> # IdentityFile ~/.ssh/identity
>> # IdentityFile ~/.ssh/id_rsa
>> # IdentityFile ~/.ssh/id_dsa
>> # Port 22
>> # Protocol 2,1
>> # Cipher 3des
>> # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-
>> cbc,arcfour,aes192-cbc,aes256-cbc
>> # EscapeChar ~
>> # Tunnel no
>> # TunnelDevice any:any
>> # PermitLocalCommand no
>> # VersionAddendum FreeBSD-20061110
>
>> # Add kerberos ticket forwarding
>> # QAK - 12/13/06
>> Host *
>
> May be it's paranoid but I prefer to use more strict values here,
> i.e. *.my.domain. This may prevent sending my credentials to hosts if
> I incidentally misspell a command.
>
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>> # If this option is set to yes then the remote X11 clients will have
>> full access
>> # to the local X11 display. As virtually no X11 client supports the
>> untrusted
>> # mode correctly we set this to yes.
>> ForwardX11Trusted yes
>
> [logs skipped]
>
>> The main difference I can see is that the FreeBSD log has this:
>
>> debug2: we sent a gssapi-with-mic packet, wait for reply
>> debug1: Delegating credentials
>> debug1: Delegating credentials
>> debug1: Authentications that can continue: gssapi-with-mic,password
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup password
>
>> And the Linux log has this:
>
>> debug1: Next authentication method: gssapi-with-mic
>> debug2: we sent a gssapi-with-mic packet, wait for reply
>> debug1: Delegating credentials
>> debug1: Delegating credentials
>> debug1: Authentication succeeded (gssapi-with-mic).
>
>> Any ideas what could be causing the ssh on FreeBSD to "not
>> send a packet"?
>
> Seems that the Linux host doesn't accept credentials. Do you have an
> access to this box? If yes, run sshd with verbose debug ("ddd") at
> different port (say, "-p 1000") and then try to connect to this host
> via ssh from FreeBSD host. Look at debugging log for the connection
> details. HTH
I've looked at the logs with -ddd and there's not enough information
to really tell what's going on and they both look the same when
logging it. (And the Linux box still succeeds and FreeBSD doesn't).
Anyone have any other ideas?
Thanks,
Quincey
--Apple-Mail-1--902213132--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FC7EB8AB-9DB4-4DEC-BD13-DF85AFC05C49>