similar to: openssh-2.9.9p2 and kerberos 5

I note with interest that Kerberos support is now available (for the version 1 protocol, at least) in OpenSSH 2.9.9p2. However, it does not build with MIT Kerberos, due to the usual Heimdal/MIT library differences. These look, by and large, like the same problems I encountered when porting Dan Kouril's patch to MIT Kerberos - so I'm having a go at fixing them (my GSSAPI patches need

The following patch *) Adds a configure option to turn on the existing Kerberos v5 support in the portable version *) Extends the code to support MIT Kerberos in addition to Heimdal The patch is against the current CVS tree. I've tested it against MIT Keberos 1.2.2, I'd appreciate it if someone could confirm that Heimdal works with the portable configuration stuff. Coming RSN -

An updated version of my patch for Kerberos v5 support is now available from http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch This patch includes updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on

The attached patch adds support for Heimdal and MIT Kerberos in protocol v1 in the portable code. The Heimdal side of things just enables the code that's present in OpenBSD's 3.0 release, the MIT specific code adds compatibility for those areas in which the Heimdal API differs. This adds a new configuration option --with-kerberos5=<path>, which will detect which version of the

The openssh-3.0 announcement said: (...) 3) improved Kerberos support in protocol v1 (KerbIV and KerbV) (...) This seems to imply at least some krb5 support, but there is nothing new in ./configure --help about it. Grepping the source, I see many references to #ifdef KRB5. Trying to enable it manually (a #define in config.h) gives errors about a missing krb5_auth_con_setaddrs_from_fd, which I

I had compiled and installed heimdal-0.5.1 . Then I wanted to compile openssh-3.5p1. These should be my options: flags=CFLAGS='-Wall -O2 -march=athlon -mcpu=athlon' do_prelude: chown -R root.root * $(flags) ./configure --prefix=/usr \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/lib/ssh \ --with-tcp-wrappers

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:08.heimdal Security Advisory The FreeBSD Project Topic: heimdal cross-realm trust vulnerability Category: core Module: crypto_heimdal

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:08.heimdal Security Advisory The FreeBSD Project Topic: heimdal cross-realm trust vulnerability Category: core Module: crypto_heimdal

Hi. I've had this patch a while (and I posted an earlier version a while back): it tries to use krb5-config to obtain the Kerberos build options. If it's not available, or isn't in the path specified to --with-kerberos5 then the existing behaviour is kept. It seems to work for me with MIT and Heimdal. I got some feedback from one person, would any of the Kerberos-using folk care to

> FWIW, here are further patches which allow openssh-3.0p1 to work > with paleo-MIT Kerberos5 1.0.6, more or less (more with tickets > and less with the auth_krb5_password {get,verify}_init_creds stuff). Thanks for these. Unfortunately, your vrs patches seem to be based on an earlier version of my patch than the one you're bundling. In particular, your patch adds back in the

Thanks, Simon for the MIT Kerberos5 patches. FWIW, here are further patches which allow openssh-3.0p1 to work with paleo-MIT Kerberos5 1.0.6, more or less (more with tickets and less with the auth_krb5_password {get,verify}_init_creds stuff). BTW, the patches I pulled out of the archive seemed to have some line wrapping problems; I had to apply several chunks by hand. I'm therefore including

Hello all I have a problem using kadmind patch. # cd /usr/src/kerberos5/libexec/k5admind # make depend && make all install ... /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:41: hdb_asn1.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadm_conn.c:34:

Hi, This is just a quick note to let people know that I've _almost_ got Kerberos V5 working based on the patches posted to this list. I'm currently at the stage where Kerberos principals can be used to verify logins (ie Kerberos credentials are correctly passed), but I haven't (yet) got ticket forwarding to work - this is the next step! I've taken the original patches and updated

(I hope this message is appropriate for these lists. If not, please tell me and I won't do it again.) Hi All. There will be a new release of OpenSSH in a couple of weeks. This release contains Kerberos and GSSAPI related changes that we would like to get some feedback about (and hopefully address any issues with) before the release. I encourage anyone with an interest in

I have FreeBSD-6.1 and it appears the default installation has a full complement of Kerberos5. But, /usr/src/kerberos5/README states: This subtree is world-exportable, as it does not contain any cryptographic code. At the time of writing, it did not even contain source code, only Makefiles and headers. Please maintain this "exportable" status quo. Thanks!

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:09.kadmind Security Advisory The FreeBSD Project Topic: heimdal kadmind remote heap buffer overflow Category: contrib Module: crypto_heimdal

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:09.kadmind Security Advisory The FreeBSD Project Topic: heimdal kadmind remote heap buffer overflow Category: contrib Module: crypto_heimdal

Versions: openssh-3.8p1-33, heimdal-0.6.1rc3-51, XFree86-4.3.99.902-40, tk-8.4.6-37, all from SuSE 9.1 (unhacked); back-version peers have openssh-3.5p1, XFree86-4.3.0-115, etc. from SuSE 8.2. Symptoms: 1. When the client and server versions are unequal, the Kerberos ticket is not accepted for authentication. All the clients have PreferredAuthentications gssapi-with-mic, gssapi, others. 2.

Ugh. With MAKE_KERBEROS5=yes, on a recent STABLE, I get the following trying to use Kerberized telnet: # telnet -l test big.x.kientzle.com Trying 66.166.149.54... Connected to big.x.kientzle.com. Escape character is '^]'. [ Trying mutual KERBEROS5 (host/big.x.kientzle.com@X.KIENTZLE.COM)... ] Bus error (core dumped) Fortunately, it's pretty easy to track down: (gdb) up #2

Just curious. There seems to be an awful lot in the source, but no actual configure option. Please advise. -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "It is the part of a good shepherd to shear his flock, not to skin it." Latin Proverb