[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 16 Dec 2022 20:50:11 UTC

--- Comment #25 from amendlik@gmail.com ---
(In reply to Cy Schubert from comment #24)

I've done some reading on the FreeIPA client (which would be the server running
sshd) setup and learned that PAM is only used for password authentication.
Kerberos authentication is supposed to be handled by GSSAPI. So I don't believe
your patch will help in this case.

That should take PAM out of the flow and bring us back to what I believe is the
root issue: that FreeBSD sshd reports that it cannot handle a type 20 ticket.

I see you saying that "FreeBSD OpenSSH server linked against Heimdal also
works", but I'm still struggling to understand that. You seem to be saying that
a type 20 ticket will be accepted if that ticket was generated by a FreeBSD/MIT
KDC, but if it was generated by a FreeIPA/MIT KDC, it will report "encryption
type 20 not supported".

Can you help me understand this apparent contradiction? How does the same
FreeBSD sshd in one case say "type 20 not supported" and in another case work
fine with a type 20 ticket?

When you say your sshd is "linked against Heimdal", do you mean the Heimdal
from the base system, or a newer version?

You are receiving this mail because:
You are the assignee for the bug.