Peter Losher
2005-Jul-24 02:04 UTC
Does OpenSSH+GSSAPI interoperate between Heimdal and MIT?
I have a freshly installed FreeBSD 6.0-BETA1 system, which comes with Heimdal & OpenSSH w/GSSAPI enabled (version 4.1p1 FreeBSD-20050605) Most of the servers I connect to have OpenSSH w/GSSAPI enabled but they use MIT Kerberos (1,3.x and 1.4.x) Now, I can use ticket authentication between all systems where the libraries are all the same (Heimdal or MIT), but trying to use, for example, a client built w/ Heimdal and a server that is built w/ MIT, it fails w/ this error: -=- debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Miscellaneous failure (see text) PROCESS_TGS debug1: Trying to start again debug2: we did not send a packet, disable method -=- Has anyone experienced this, and if so, how did they get around it (if they did)? Best Wishes - Peter -- Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050723/043d3416/attachment.bin
Sergio Gelato
2005-Jul-24 10:01 UTC
Does OpenSSH+GSSAPI interoperate between Heimdal and MIT?
* Peter Losher [2005-07-23 19:04:21 -0700]:> I have a freshly installed FreeBSD 6.0-BETA1 system, which comes with HeimdalWhich version of Heimdal? 0.6 or 0.7? With 0.6, there is at least one issue you need to pay attention to, involving the des3 MIC algorithm. Older Heimdal had an over-the-wire incompatibility with MIT. This was fixed in 0.6, but not enabled by default until 0.7; if you want to enable it, you need to add a [gssapi] correct_des3_mic = * to your krb5.conf. See the Heimdal documentation for further details, in particular if you need to talk to pre-0.6 Heimdal. (The * is a regular expression matching the service principal.) I'm not sure that this is your problem, but there is a good chance...> & OpenSSH w/GSSAPI enabled (version 4.1p1 FreeBSD-20050605) Most of the > servers I connect to have OpenSSH w/GSSAPI enabled but they use MIT Kerberos > (1,3.x and 1.4.x) Now, I can use ticket authentication between all systems > where the libraries are all the same (Heimdal or MIT), but trying to use, for > example, a client built w/ Heimdal and a server that is built w/ MIT, it > fails w/ this error: > > -=- > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Miscellaneous failure (see text) > PROCESS_TGS > > debug1: Trying to start again > debug2: we did not send a packet, disable method > -=- > > Has anyone experienced this, and if so, how did they get around it (if they > did)? > > Best Wishes - Peter > -- > Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"