OpenSSH 5.2p1 with GSSAPI Authentication

John Marshall john.marshall at riverwillow.com.au
Sat Aug 22 00:13:04 UTC 2009 

On Fri, 21 Aug 2009, 11:52 +0200, Matthias Andree wrote:
> Am 21.08.2009, 09:01 Uhr, schrieb John Marshall  
> <john.marshall at riverwillow.com.au>:
> 
> >Does *anybody* have this working?
> >
> >I've been using SSH with GSSAPI authentication for a couple of years but
> >found it no longer worked with sshd on an FreeBSD 8.0-BETA.  FreeBSD
> >8.0-BETA has OpenSSH 5.2p1 included in the base system.  I have tried
> >installing the OpenSSH 5.2p1 port (security/openssh-portable) on FreeBSD
> >7.2 servers and I can't get that to work either.  sshd from the OpenSSH
> >5.1p1 included in the 7.n base system works fine.
> >
> >The only common denominator in all of my testing has been OpenSSH 5.2p1.
> >The debug logging from sshd shows that the gssapi library returns an
> >authentication failure; but gssapi authentication for squid and ldap
> >work fine on the same box (both 7.2 and 8.0).
> >
> >I'm stuck.  The OpenSSH folks say that nothing has changed that would
> >break gssapi authentication.
> >
> >Does *anybody* have this working?
> 
> How does this relate to your post on -CURRENT where you suggest upgrade  
> Heimdal for 8.0 from 1.1.0 to 1.2.1 (you wrote that you needed that for  
> OpenLDAP)?  Have you built OpenSSH against Heimdal 1.2.1 or against 1.1.0?

It doesn't.  The version of Heimdal seems not to make any difference.  I
can't get joy with any of these combinations:

 sshd        Heimdal     FreeBSD
 ----        -------     -------
 base 5.2p1  base 1.1.0  8.0-BETA2
 port 5.2p1  port 1.2.1% 8.0-BETA2
 port 5.2p1  port 1.0.1  7.2-RELEASE
 port 5.2p1  port 1.2.1% 7.2-RELEASE

[% = 1.0.1 heimdal port hacked to install 1.2.1]

Hmmm.  While validating the table above, I tried something I hadn't
tried before.  This works:

 port 5.2p1  base 0.6.3  7.2-RELEASE

I just tried a 'make configure' on security/openssh-portable on 8.0, to
start digging into the configure log, and discover that the port is now
marked as 'broken' for 8.0.  I'll spend a while on the ssh port on 7.2
and see if I can discover any clues.

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20090822/68e777f0/attachment.pgp

More information about the freebsd-ports mailing list