From owner-freebsd-current@FreeBSD.ORG  Fri Oct  2 04:39:21 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2B1E21065672
	for <freebsd-current@freebsd.org>; Fri,  2 Oct 2009 04:39:21 +0000 (UTC)
	(envelope-from john.marshall@riverwillow.com.au)
Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au
	[203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id A317C8FC08
	for <freebsd-current@freebsd.org>; Fri,  2 Oct 2009 04:39:20 +0000 (UTC)
Received: from rwpc12.mby.riverwillow.net.au (rwpc12.mby.riverwillow.net.au
	[172.25.24.168]) (authenticated bits=0)
	by mail1.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id
	n924dFia010354
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <freebsd-current@freebsd.org>; Fri, 2 Oct 2009 14:39:15 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au;
	s=m1001; t=1254458355;
	bh=uWfcNpm+5SMCHl7/cczQlyPy0E1es8h1FQ3+W7NnBXg=;
	h=Date:From:To:Subject:Message-ID:References:Mime-Version:
	Content-Type:In-Reply-To;
	b=W9pATw2a8MpS2gnZ/xe85EzNw1aS/baN1GNniBOT223jOnGefX7e1vZ+9xUlWEt26
	rV0Ymw+nBD+Xuf0Hoydtst5oVP9nbCIjFzfdcBEAVuifTfJGynYDLdzABYdTqJ7Ojm
	H4LRFmoVVhBCnv2bug0qo2gaJ8slZr10GC8uumnM=
Received: from rwpc12.mby.riverwillow.net.au (localhost [127.0.0.1])
	by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id
	n924dEgV058000
	for <freebsd-current@freebsd.org>; Fri, 2 Oct 2009 14:39:14 +1000 (AEST)
	(envelope-from john.marshall@riverwillow.com.au)
Received: (from john@localhost)
	by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3/Submit) id
	n924dEYP057999
	for freebsd-current@freebsd.org; Fri, 2 Oct 2009 14:39:14 +1000 (AEST)
	(envelope-from john)
Date: Fri, 2 Oct 2009 14:39:14 +1000
From: John Marshall <john.marshall@riverwillow.com.au>
To: freebsd-current@freebsd.org
Message-ID: <20091002043914.GI37304@rwpc12.mby.riverwillow.net.au>
Mail-Followup-To: freebsd-current@freebsd.org
References: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au>
	<20090714053357.GH982@rwpc12.mby.riverwillow.net.au>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="JWEK1jqKZ6MHAcjA"
Content-Disposition: inline
In-Reply-To: <20090714053357.GH982@rwpc12.mby.riverwillow.net.au>
User-Agent: Mutt/1.4.2.3i
OpenPGP: id=A29A84A2; url=http://pki.riverwillow.net.au/pgp/johnmarshall.asc
Subject: Re: [SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1
	upgrade
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2009 04:39:21 -0000


--JWEK1jqKZ6MHAcjA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, 14 Jul 2009, 15:33 +1000, John Marshall wrote:
> On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote:
> > I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to
> > 8.0-BETA1 this morning.  I use GSSAPI as the primary authentication
> > method for sshd on that server.  After the upgrade GSSAPI authentication
> > stopped working and I can't get enough information to figure out why.
> > Perhaps the newer version of Heimdal behaves differently?  Perhaps the
> > newer version of sshd behaves differently?
[snip]
> > Does anybody know of changes between existing STABLE releases and 8.0
> > which would cause this behaviour - and how to accommodate it?  Do any
> > strange Kerberos things need to be done as part of the upgrade?
> >=20
> > The client still happily authenticates via GSSAPI to sshd on our other
> > 7.2-RELEASE servers.  Subsequent authentication methods succeed on the
> > 8.0-BETA1 sshd server, it's just GSSAPI that isn't working.
>=20
> After fallback authentication (e.g. via keyboard-interactive), I can see
> in my credentials cache on the server that a tgt was forwarded from the
> client.  If I look in my credentials cache on the client, I can see that
> the service ticket for the server was acquired.

See solution posted to my OP in -stable@
<http://lists.freebsd.org/pipermail/freebsd-stable/2009-October/052217.html>

Basically, the problem is a gssapi-with-mic compatibility issue between
Kerberos versions shipped in FreeBSD 7.2 and FreeBSD 8.0.  The 7.2
machines need a [gssapi] section in /etc/krb5.conf in order to be
compatible with the FreeBSD 8.0 servers.

  [gssapi]
          correct_des3_mic =3D host/*

--=20
John Marshall

--JWEK1jqKZ6MHAcjA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkrFg/IACgkQw/tAaKKahKI8sACgpPUI6o1ojNJHO7Sn+ENXA6Bd
fKEAnjjheB5/rQOvMbfWS4D/ZpsQ7p7f
=Ri4u
-----END PGP SIGNATURE-----

--JWEK1jqKZ6MHAcjA--