[SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade

[John Marshall]

On Tue, 14 Jul 2009, 15:33 +1000, John Marshall wrote:
> On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote:
> > I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to
> > 8.0-BETA1 this morning.  I use GSSAPI as the primary authentication
> > method for sshd on that server.  After the upgrade GSSAPI authentication
> > stopped working and I can't get enough information to figure out why.
> > Perhaps the newer version of Heimdal behaves differently?  Perhaps the
> > newer version of sshd behaves differently?
[snip]
> > Does anybody know of changes between existing STABLE releases and 8.0
> > which would cause this behaviour - and how to accommodate it?  Do any
> > strange Kerberos things need to be done as part of the upgrade?
> > 
> > The client still happily authenticates via GSSAPI to sshd on our other
> > 7.2-RELEASE servers.  Subsequent authentication methods succeed on the
> > 8.0-BETA1 sshd server, it's just GSSAPI that isn't working.
> 
> After fallback authentication (e.g. via keyboard-interactive), I can see
> in my credentials cache on the server that a tgt was forwarded from the
> client.  If I look in my credentials cache on the client, I can see that
> the service ticket for the server was acquired.

See solution posted to my OP in -stable@
<http://lists.freebsd.org/pipermail/freebsd-stable/2009-October/052217.html>

Basically, the problem is a gssapi-with-mic compatibility issue between
Kerberos versions shipped in FreeBSD 7.2 and FreeBSD 8.0.  The 7.2
machines need a [gssapi] section in /etc/krb5.conf in order to be
compatible with the FreeBSD 8.0 servers.

  [gssapi]
          correct_des3_mic = host/*

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20091002/74bb34ef/attachment.pgp