OpenSSH, Kerberos and RedHat

Richard Jones freebsd at jonze.com
Thu Jun 30 11:03:59 GMT 2005 

Hi,

I'm trying to get OpenSSH with Kerberos5/GSSAPI authentication up and
running in an heterogenous environment, but having problems.

I'm running a vanilla FreeBSD-5.4p1 box as the KDC. I have another
FreeBSD-5.4 box, and a RedHat ES3 box running as a test client/server.

kinit works fine on both boxes.  PuTTY patched with Kerberos support
works fine as a client to both boxes (and obviously has no problems with
the KDC).  Each box can negociate a login to itself However neither can
talk to the other.

I first recompiled the stock RedHat OpenSSH with the "gss" tag change to
allow it to compile against GSSAPI. However this did not work, I
believe, as this was an older package patched to provide gssapi, and not
the newer gssapi-with-mic.

This did not work.

So I tried a more recent RPM: openssh-3.9p1-8.0.2.src.rpm compiled with
the tag change to use gssapi-with-mic.

Server:
Connection from 10.1.0.112 port 54409
debug1: Client protocol version 2.0; client software version OpenSSH
57:41 redhat sshd[844]: debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.9p1
debug1: Received some client credentials
debug1: temporarily_use_uid: 504/504 (e=0/0)
debug1: trying public key file /home/richard/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 504/504 (e=0/0)
debug1: trying public key file /home/richard/.ssh/authorized_keys2
debug1: restore_uid: 0/0
debug1: do_cleanup

Client:
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to redhat.digitalrum.net [10.1.0.83] port 23.
debug1: Connection established.
debug1: identity file /usr/local/home/richard/.ssh/id_rsa type 1
debug1: identity file /usr/local/home/richard/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'redhat.digitalrum.net' is known and matches the DSA host key.
debug1: Found key in /usr/local/home/richard/.ssh/known_hosts:79
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).

Can anyone help? I thought it may be a Kerberos flavour mismatch; RedHat
is compiled against MIT, and FreeBSD against Heimdal. I tried
recompiling FreeBSD's openssh-portable against MIT Kerberos, but it
failed to build with a slew of GSSAPI errors.

Regards,

Richard

-- 
Richard Jones
MSN: msn.co.uk at jonze.com
Y!M: rwkjones
http://www.jonze.com

More information about the freebsd-questions mailing list