[SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade

John Marshall john.marshall at riverwillow.com.au
Fri Oct 2 04:16:41 UTC 2009 

Apologies for including all of OP - but it was 3 months ago and
provides necessary context.  See solution below OP.

On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote:
> I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to
> 8.0-BETA1 this morning.  I use GSSAPI as the primary authentication
> method for sshd on that server.  After the upgrade GSSAPI authentication
> stopped working and I can't get enough information to figure out why.
> Perhaps the newer version of Heimdal behaves differently?  Perhaps the
> newer version of sshd behaves differently?
> 
> If I run sshd with debug "-ddd" I see the following:
> 
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method gssapi-with-mic
> debug3: mm_request_send entering: type 37
> debug3: mm_request_receive_expect entering: type 38
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 37
> debug3: mm_request_send entering: type 38
> debug3: mm_request_receive entering
> Postponed gssapi-with-mic for john from 192.0.2.123 port 57225 ssh2
> debug3: mm_request_send entering: type 39
> debug3: mm_request_receive_expect entering: type 40
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 39
> debug1: Received some client credentials
> debug3: mm_request_send entering: type 40
> debug3: mm_request_receive entering
> debug3: mm_request_send entering: type 43
> debug3: mm_request_receive_expect entering: type 44
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 43
> debug3: mm_request_send entering: type 44
> debug3: mm_request_receive entering
> GSSAPI MIC check failed
> 
> On the client side (with ssh -vvv) I see:
> 
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
> debug2: we did not send a packet, disable method
> 
> Does anybody know of changes between existing STABLE releases and 8.0
> which would cause this behaviour - and how to accommodate it?  Do any
> strange Kerberos things need to be done as part of the upgrade?
> 
> The client still happily authenticates via GSSAPI to sshd on our other
> 7.2-RELEASE servers.  Subsequent authentication methods succeed on the
> 8.0-BETA1 sshd server, it's just GSSAPI that isn't working.

With help from Jim Basney on the OpenSSH-dev mailing list, I was able to
determine that the gssapi error underlying the sshd debug message
"GSSAPI MIC check failed" was GSS_S_BAD_SIG (GSS_S_BAD_MIC).  That
proved that it was a Kerberos problem but didn't give me any clue as to
why a FreeBSD 8.0 server would regard as BAD signatures that were
happily validated on FreeBSD 7.2 servers.

I am indebted to David P. Discher for discovering this solution.

The problem is related to the difference in Heimdal Kerberos versions
shipped with FreeBSD 7.2 and 8.0.

  FreeBSD 7.2 --> Heimdal 0.6.3
  FreeBSD 8.0 --> Heimdal 1.1.0

 - FreeBSD 7.2 Kerberos includes a broken-by-default gssapi-with-mic.
 - FreeBSD 8.0 Kerberos includes a correct gssapi-with-mic.

FreeBSD 8.0 Kerberos doesn't understand the message produced by the
FreeBSD 7.2 Kerberos broken gssapi-with-mic.  Fortunately Heimdal 0.6
understands messages produced by both the broken and correct
gssapi-with-mic AND provides a switch to enable use of the correct
gssapi-with-mic.  So, in order to produce messages which can be
processed by FreeBSD 8.0 Kerberos, FreeBSD 7.2 machines must add entries
like the following to their /etc/krb5.conf

  [gssapi]
          correct_des3_mic = host/my.freebsd8.server at MY.REALM
          correct_des3_mic = host/myother.freebsd8.server at MY.REALM

Wildcards can also be used, so as long as none of your machines use a
version of Heimdal earlier then 0.6, you can do something like:

  [gssapi]
          correct_des3_mic = host/*

Note that the Heimdal 0.6.3 verify_krb5_conf utility doesn't know about
the [gssapi] section and will flag it as an error.

For a full description of the broken/correct gssapi-with-mic issue, see
the COMPATIBILITY section of the Heimdal 0.6.3 gssapi(3) man page
shipped with (but not installed on) FreeBSD 7.2

  /usr/src/crypto/heimdal/lib/gssapi/gssapi.3:
       $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091002/fda64e4d/attachment.pgp

More information about the freebsd-stable mailing list