[SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1
john.marshall at riverwillow.com.au
Fri Oct 2 04:39:21 UTC 2009
On Tue, 14 Jul 2009, 15:33 +1000, John Marshall wrote:
> On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote:
> > I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to
> > 8.0-BETA1 this morning. I use GSSAPI as the primary authentication
> > method for sshd on that server. After the upgrade GSSAPI authentication
> > stopped working and I can't get enough information to figure out why.
> > Perhaps the newer version of Heimdal behaves differently? Perhaps the
> > newer version of sshd behaves differently?
> > Does anybody know of changes between existing STABLE releases and 8.0
> > which would cause this behaviour - and how to accommodate it? Do any
> > strange Kerberos things need to be done as part of the upgrade?
> > The client still happily authenticates via GSSAPI to sshd on our other
> > 7.2-RELEASE servers. Subsequent authentication methods succeed on the
> > 8.0-BETA1 sshd server, it's just GSSAPI that isn't working.
> After fallback authentication (e.g. via keyboard-interactive), I can see
> in my credentials cache on the server that a tgt was forwarded from the
> client. If I look in my credentials cache on the client, I can see that
> the service ticket for the server was acquired.
See solution posted to my OP in -stable@
Basically, the problem is a gssapi-with-mic compatibility issue between
Kerberos versions shipped in FreeBSD 7.2 and FreeBSD 8.0. The 7.2
machines need a [gssapi] section in /etc/krb5.conf in order to be
compatible with the FreeBSD 8.0 servers.
correct_des3_mic = host/*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20091002/74bb34ef/attachment.pgp
More information about the freebsd-current