John Marshall
2009-Jul-08 09:07 UTC
sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade
I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to 8.0-BETA1 this morning. I use GSSAPI as the primary authentication method for sshd on that server. After the upgrade GSSAPI authentication stopped working and I can't get enough information to figure out why. Perhaps the newer version of Heimdal behaves differently? Perhaps the newer version of sshd behaves differently? If I run sshd with debug "-ddd" I see the following: debug1: attempt 1 failures 0 debug2: input_userauth_request: try method gssapi-with-mic debug3: mm_request_send entering: type 37 debug3: mm_request_receive_expect entering: type 38 debug3: mm_request_receive entering debug3: monitor_read: checking request 37 debug3: mm_request_send entering: type 38 debug3: mm_request_receive entering Postponed gssapi-with-mic for john from 192.0.2.123 port 57225 ssh2 debug3: mm_request_send entering: type 39 debug3: mm_request_receive_expect entering: type 40 debug3: mm_request_receive entering debug3: monitor_read: checking request 39 debug1: Received some client credentials debug3: mm_request_send entering: type 40 debug3: mm_request_receive entering debug3: mm_request_send entering: type 43 debug3: mm_request_receive_expect entering: type 44 debug3: mm_request_receive entering debug3: monitor_read: checking request 43 debug3: mm_request_send entering: type 44 debug3: mm_request_receive entering GSSAPI MIC check failed On the client side (with ssh -vvv) I see: debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we did not send a packet, disable method Does anybody know of changes between existing STABLE releases and 8.0 which would cause this behaviour - and how to accommodate it? Do any strange Kerberos things need to be done as part of the upgrade? The client still happily authenticates via GSSAPI to sshd on our other 7.2-RELEASE servers. Subsequent authentication methods succeed on the 8.0-BETA1 sshd server, it's just GSSAPI that isn't working. Thanks. -- John Marshall -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20090708/f52bfe77/attachment-0001.pgp
John Marshall
2009-Oct-02 04:16 UTC
[SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade
Apologies for including all of OP - but it was 3 months ago and provides necessary context. See solution below OP. On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote:> I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to > 8.0-BETA1 this morning. I use GSSAPI as the primary authentication > method for sshd on that server. After the upgrade GSSAPI authentication > stopped working and I can't get enough information to figure out why. > Perhaps the newer version of Heimdal behaves differently? Perhaps the > newer version of sshd behaves differently? > > If I run sshd with debug "-ddd" I see the following: > > debug1: attempt 1 failures 0 > debug2: input_userauth_request: try method gssapi-with-mic > debug3: mm_request_send entering: type 37 > debug3: mm_request_receive_expect entering: type 38 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 37 > debug3: mm_request_send entering: type 38 > debug3: mm_request_receive entering > Postponed gssapi-with-mic for john from 192.0.2.123 port 57225 ssh2 > debug3: mm_request_send entering: type 39 > debug3: mm_request_receive_expect entering: type 40 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 39 > debug1: Received some client credentials > debug3: mm_request_send entering: type 40 > debug3: mm_request_receive entering > debug3: mm_request_send entering: type 43 > debug3: mm_request_receive_expect entering: type 44 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 43 > debug3: mm_request_send entering: type 44 > debug3: mm_request_receive entering > GSSAPI MIC check failed > > On the client side (with ssh -vvv) I see: > > debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive > debug2: we did not send a packet, disable method > > Does anybody know of changes between existing STABLE releases and 8.0 > which would cause this behaviour - and how to accommodate it? Do any > strange Kerberos things need to be done as part of the upgrade? > > The client still happily authenticates via GSSAPI to sshd on our other > 7.2-RELEASE servers. Subsequent authentication methods succeed on the > 8.0-BETA1 sshd server, it's just GSSAPI that isn't working.With help from Jim Basney on the OpenSSH-dev mailing list, I was able to determine that the gssapi error underlying the sshd debug message "GSSAPI MIC check failed" was GSS_S_BAD_SIG (GSS_S_BAD_MIC). That proved that it was a Kerberos problem but didn't give me any clue as to why a FreeBSD 8.0 server would regard as BAD signatures that were happily validated on FreeBSD 7.2 servers. I am indebted to David P. Discher for discovering this solution. The problem is related to the difference in Heimdal Kerberos versions shipped with FreeBSD 7.2 and 8.0. FreeBSD 7.2 --> Heimdal 0.6.3 FreeBSD 8.0 --> Heimdal 1.1.0 - FreeBSD 7.2 Kerberos includes a broken-by-default gssapi-with-mic. - FreeBSD 8.0 Kerberos includes a correct gssapi-with-mic. FreeBSD 8.0 Kerberos doesn't understand the message produced by the FreeBSD 7.2 Kerberos broken gssapi-with-mic. Fortunately Heimdal 0.6 understands messages produced by both the broken and correct gssapi-with-mic AND provides a switch to enable use of the correct gssapi-with-mic. So, in order to produce messages which can be processed by FreeBSD 8.0 Kerberos, FreeBSD 7.2 machines must add entries like the following to their /etc/krb5.conf [gssapi] correct_des3_mic = host/my.freebsd8.server@MY.REALM correct_des3_mic = host/myother.freebsd8.server@MY.REALM Wildcards can also be used, so as long as none of your machines use a version of Heimdal earlier then 0.6, you can do something like: [gssapi] correct_des3_mic = host/* Note that the Heimdal 0.6.3 verify_krb5_conf utility doesn't know about the [gssapi] section and will flag it as an error. For a full description of the broken/correct gssapi-with-mic issue, see the COMPATIBILITY section of the Heimdal 0.6.3 gssapi(3) man page shipped with (but not installed on) FreeBSD 7.2 /usr/src/crypto/heimdal/lib/gssapi/gssapi.3: $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ -- John Marshall -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091002/fda64e4d/attachment.pgp