[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 05 Dec 2022 23:24:00 UTC

            Bug ID: 268186
           Summary: Kerberos authentication fails with a Linux/FreeIPA KDC
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: amendlik@gmail.com

When using a Linux-based FreeIPA server as the KDC, users cannot authenticate
to FreeBSD hosts using SSH with GSSAPI. Errors from sshd indicate the
encryption algorithm used in the service ticket is not supported:

  debug3: receive packet: type 61 [preauth]
  debug3: mm_request_send: entering, type 44 [preauth]
  debug3: mm_request_receive_expect: entering, type 45 [preauth]
  debug3: mm_request_receive: entering [preauth]
  debug3: mm_request_receive: entering
  debug3: monitor_read: checking request 44
  debug1:  Miscellaneous failure (see text)
  encryption type 20 not supported

  debug1: Got no client credentials
  debug3: mm_request_send: entering, type 45
  debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-with-mic" [preauth]

Encryption type 20 refers to the aes256-cts-hmac-sha384-192 algorithm. It is
defined in RFC8009 (https://www.rfc-editor.org/rfc/rfc8009.html#section-7) and
has been supported since Heimdal 7.0.1, released in 2016.

Looking at the FreeBSD base system, we are on Heimdal 1.5.2, released in 2012.
Are there any plans to update Heimdal in the base system to a more recent

You are receiving this mail because:
You are the assignee for the bug.