From owner-freebsd-security@FreeBSD.ORG Mon Feb 13 08:54:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 326ED16A420 for ; Mon, 13 Feb 2006 08:54:02 +0000 (GMT) (envelope-from alex@foxybanana.com) Received: from atlantis.foxybanana.com (foxybanana.com [66.240.239.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id A29BB43D45 for ; Mon, 13 Feb 2006 08:54:01 +0000 (GMT) (envelope-from alex@foxybanana.com) Received: from localhost (localhost [127.0.0.1]) by atlantis.foxybanana.com (Postfix) with ESMTP id 95E9F146154 for ; Mon, 13 Feb 2006 00:53:59 -0800 (PST) Received: from atlantis.foxybanana.com ([127.0.0.1]) by localhost (atlantis.foxybanana.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31509-02 for ; Mon, 13 Feb 2006 00:53:44 -0800 (PST) Received: by atlantis.foxybanana.com (Postfix, from userid 503) id 3A85614618B; Mon, 13 Feb 2006 00:53:41 -0800 (PST) Date: Mon, 13 Feb 2006 00:53:41 -0800 From: Alexander Botero-Lowry To: freebsd-security@freebsd.org Message-ID: <20060213085341.GA6545@atlantis.foxybanana.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: amavisd-new at foxybanana.com X-Spam-Status: No, hits=0 tagged_above=-9999 required=3 tests=[none] X-Spam-Level: X-Mailman-Approved-At: Mon, 13 Feb 2006 12:46:08 +0000 Subject: heimdal and mit incompatability when using GSSAPI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2006 08:54:02 -0000 My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. For example ssh in verbose mode returns: debug2: we sent a gssapi-with-mic packet, wait for reply debug1: A token was invalid Unknown error: 0 when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. Interestingly the tickets are issued even though the authentication fails: [0:49] alex@Laptop: ~> klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: boterola@REED.EDU Issued Expires Principal Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries). Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers? Alex From owner-freebsd-security@FreeBSD.ORG Mon Feb 13 18:14:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1013A16A420; Mon, 13 Feb 2006 18:14:26 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64D2243D5D; Mon, 13 Feb 2006 18:14:25 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id 593FA4C5C5; Mon, 13 Feb 2006 10:14:23 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.4/8.13.4) with ESMTP id k1DIELkn058489; Mon, 13 Feb 2006 10:14:21 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200602131814.k1DIELkn058489@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Feb 2006 10:14:21 -0800 Sender: Cy.Schubert@komquats.com Cc: Subject: Upcoming Tripwire Port Upgrade X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2006 18:14:26 -0000 I have an updated tripwire port which I'd like to release for testing prior to replacing the existing and currently broken tripwire port. I've tested it under the upcoming 6.1, which it seems to work well in my test environment and will commence testing under 4.11-STABLE, the upcoming 5.5, and 7.0-CURRENT. The things that are on my todo list are: - Fully test under 4.11-STABLE. - Fully test under 5.5-*. - Implement it into production in my 6.1-* environments (just prior to committing it). - Fully test under 7.0-CURRENT. - The pkg-plist appears to be correct though I do want to test that piece a little more rigorously. - The database build is currently part of the port post-install however I want to move that part of the install into the package install so that this port can be distributed via binary package as well. - Finally when all is done, commit it before the February 20 ports change freeze. Any and all testing would be greatly appreciated. A copy of the port can be found at http://komquats.com/~cy/tripwire-port-060 213.tar.bz2. Cheers, Cy Schubert Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: Web: http://www.FreeBSD.org BC Government: "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 18:24:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A995E16A420 for ; Thu, 16 Feb 2006 18:24:36 +0000 (GMT) (envelope-from bsam@ipt.ru) Received: from mail.ipt.ru (mail.ipt.ru [80.253.10.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C72343D45 for ; Thu, 16 Feb 2006 18:24:35 +0000 (GMT) (envelope-from bsam@ipt.ru) Received: from doc.sem.ipt.ru ([192.168.12.1] helo=srv.sem.ipt.ru) by mail.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1F9nnq-000NBc-HH; Thu, 16 Feb 2006 21:24:30 +0300 Received: from bsam by srv.sem.ipt.ru with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F9nmE-0002Qo-R1; Thu, 16 Feb 2006 21:22:50 +0300 To: Alexander Botero-Lowry References: <20060213085341.GA6545@atlantis.foxybanana.com> From: Boris Samorodov Date: Thu, 16 Feb 2006 21:22:50 +0300 In-Reply-To: <20060213085341.GA6545@atlantis.foxybanana.com> (Alexander Botero-Lowry's message of "Mon, 13 Feb 2006 00:53:41 -0800") Message-ID: <61710261@srv.sem.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org Subject: Re: heimdal and mit incompatability when using GSSAPI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 18:24:36 -0000 On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote: > My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. > The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. Which version of FreeBSD and Heimdal are you using? > For example ssh in verbose mode returns: > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: A token was invalid > Unknown error: 0 man krb.conf may give some clue to heimdal kerberos to be more MIT-compatible. > when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. > Interestingly the tickets are issued even though the authentication fails: > [0:49] alex@Laptop: ~> klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: boterola@REED.EDU > Issued Expires Principal > Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU > Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU How and when did you get krbtgt? Did you use kinit? (man kinit may help a little) > I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries). Under Linux OS? I didn't find any linux-thunderbird at the ports tree. > Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers? Well, imo before using GSSAPI you may ensure that kerberos itself is working (ie what i've written above). WBR -- Boris B. Samorodov, Research Engineer InPharmTech Co, http://www.ipt.ru Telephone & Internet Service Provider