Date: Fri, 2 Oct 2009 14:39:14 +1000 From: John Marshall <john.marshall@riverwillow.com.au> To: freebsd-current@freebsd.org Subject: Re: [SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade Message-ID: <20091002043914.GI37304@rwpc12.mby.riverwillow.net.au> In-Reply-To: <20090714053357.GH982@rwpc12.mby.riverwillow.net.au> References: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au> <20090714053357.GH982@rwpc12.mby.riverwillow.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--JWEK1jqKZ6MHAcjA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 14 Jul 2009, 15:33 +1000, John Marshall wrote: > On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote: > > I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to > > 8.0-BETA1 this morning. I use GSSAPI as the primary authentication > > method for sshd on that server. After the upgrade GSSAPI authentication > > stopped working and I can't get enough information to figure out why. > > Perhaps the newer version of Heimdal behaves differently? Perhaps the > > newer version of sshd behaves differently? [snip] > > Does anybody know of changes between existing STABLE releases and 8.0 > > which would cause this behaviour - and how to accommodate it? Do any > > strange Kerberos things need to be done as part of the upgrade? > >=20 > > The client still happily authenticates via GSSAPI to sshd on our other > > 7.2-RELEASE servers. Subsequent authentication methods succeed on the > > 8.0-BETA1 sshd server, it's just GSSAPI that isn't working. >=20 > After fallback authentication (e.g. via keyboard-interactive), I can see > in my credentials cache on the server that a tgt was forwarded from the > client. If I look in my credentials cache on the client, I can see that > the service ticket for the server was acquired. See solution posted to my OP in -stable@ <http://lists.freebsd.org/pipermail/freebsd-stable/2009-October/052217.html>; Basically, the problem is a gssapi-with-mic compatibility issue between Kerberos versions shipped in FreeBSD 7.2 and FreeBSD 8.0. The 7.2 machines need a [gssapi] section in /etc/krb5.conf in order to be compatible with the FreeBSD 8.0 servers. [gssapi] correct_des3_mic =3D host/* --=20 John Marshall --JWEK1jqKZ6MHAcjA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkrFg/IACgkQw/tAaKKahKI8sACgpPUI6o1ojNJHO7Sn+ENXA6Bd fKEAnjjheB5/rQOvMbfWS4D/ZpsQ7p7f =Ri4u -----END PGP SIGNATURE----- --JWEK1jqKZ6MHAcjA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091002043914.GI37304>