Date: Tue, 14 Jul 2009 10:34:54 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: John Marshall <john.marshall@riverwillow.com.au> Cc: freebsd-current@freebsd.org Subject: Re: sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade Message-ID: <Pine.GSO.4.63.0907141027190.2520@muncher.cs.uoguelph.ca> In-Reply-To: <20090714053357.GH982@rwpc12.mby.riverwillow.net.au> References: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au> <20090714053357.GH982@rwpc12.mby.riverwillow.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Jul 2009, John Marshall wrote: > Zero interest on -stable after 1 week. Trying -current. > > On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote: >> I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to >> 8.0-BETA1 this morning. I use GSSAPI as the primary authentication >> method for sshd on that server. After the upgrade GSSAPI authentication >> stopped working and I can't get enough information to figure out why. >> Perhaps the newer version of Heimdal behaves differently? Perhaps the >> newer version of sshd behaves differently? >> I'm a Kerberos weenie, so don't expect this to help, but I know what it's like when it doesn't work. Here's some things I've had luck with when trying to get the gssapi to work in the past: - try commenting out all the other mechanisms in /etc/gss/mech. (It seems to sometimes get confused and tries to use a different mech than Kerberos, or whatever you are using.) - try to make sure that your KDC, client and server machine are all using the same encryption type by default (and that the entry for the host principal in the server is encrypted with that same type). default_etypes in /etc/krb5.conf + whatever your KDC uses - make sure your machines have fully qualified DNS names and that the name for the server matches the one used for the host based principal in its keytab file. Doubt any of the above will help, but good luck with it, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.0907141027190.2520>