Date: Mon, 13 Feb 2006 00:53:41 -0800 From: Alexander Botero-Lowry <alex@foxybanana.com> To: freebsd-security@freebsd.org Subject: heimdal and mit incompatability when using GSSAPI Message-ID: <20060213085341.GA6545@atlantis.foxybanana.com>
next in thread | raw e-mail | index | archive | help
My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. For example ssh in verbose mode returns: debug2: we sent a gssapi-with-mic packet, wait for reply debug1: A token was invalid Unknown error: 0 when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. Interestingly the tickets are issued even though the authentication fails: [0:49] alex@Laptop: ~> klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: boterola@REED.EDU Issued Expires Principal Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries). Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers? Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060213085341.GA6545>