From nobody Fri Dec 16 20:50:11 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NYh7S0Dnlz1GR54 for ; Fri, 16 Dec 2022 20:50:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NYh7R6Bnzz3wfQ for ; Fri, 16 Dec 2022 20:50:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671223811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v83IiN8YLEcEg48PmTw+OSNwi1Ixz2fBE2TEYF4a6rA=; b=ue32FFZNHzvlS4vCZsJrhp91CpuO5lf0N3weANbmXsaYSg5tpcwmtw07XNeQ/k9Uw76P5g j7PrxgPWt2y7iYpYU3ZgNVqBWkp9HVs3skesj29Eu/aKN1WffNFI4qu5lmHIyHGw5Rh3N2 qRpK1j8LoSLHSqz1Q7hIAySwTzTeANv4fItEaFI2yGrxZsIYi332gxQqa5BnpICUSea7WA LvCodAC+YC75eO5Kb4IHtuRfc5s1aaNzm1Y5DdonVMApVjvznnSw2rGedYZjggZ8jEooXI 50TKZnnN289790mzdnkXWSALwahomXbmOWt9W+wOFcUbwCt4s03R/KM7fmWGsA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671223811; a=rsa-sha256; cv=none; b=wafPK5dz5AK+p/Wako68sFmGO7Z4Xh1QA+GUdx+Hj7ulGImL+MiT3rClzRsZ1BXim3/o56 DDWM9PboDvHSfGkHTVmS+9HMw8Uwh+8e7WX2fvFtW8O+WpW1Tr/fzjwRwPSjkwFAc7gSqm 6wRs1CZorT1Fl31YobA2Fd269VILfeuAcucAaBXsXGIxdyCHoTw9uzAw3nBQkDVrN8XavT CmpX3iXoOlO5Y719tCBaP/lOKpI9bOnuriZa3VlEZxS7bjgb7YBapnSwgAyfRxhFmUTyUT P6+rS0JuDllTY2BOYy7qtoAYgUhWd7vSRf08xUKcvDh5VOxBMooC6gq4yfXFuA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NYh7R562DzRC0 for ; Fri, 16 Dec 2022 20:50:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BGKoBpl012679 for ; Fri, 16 Dec 2022 20:50:11 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BGKoBFJ012678 for bugs@FreeBSD.org; Fri, 16 Dec 2022 20:50:11 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Date: Fri, 16 Dec 2022 20:50:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: amendlik@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 --- Comment #25 from amendlik@gmail.com --- (In reply to Cy Schubert from comment #24) I've done some reading on the FreeIPA client (which would be the server run= ning sshd) setup and learned that PAM is only used for password authentication. Kerberos authentication is supposed to be handled by GSSAPI. So I don't bel= ieve your patch will help in this case. That should take PAM out of the flow and bring us back to what I believe is= the root issue: that FreeBSD sshd reports that it cannot handle a type 20 ticke= t. I see you saying that "FreeBSD OpenSSH server linked against Heimdal also works", but I'm still struggling to understand that. You seem to be saying = that a type 20 ticket will be accepted if that ticket was generated by a FreeBSD= /MIT KDC, but if it was generated by a FreeIPA/MIT KDC, it will report "encrypti= on type 20 not supported". Can you help me understand this apparent contradiction? How does the same FreeBSD sshd in one case say "type 20 not supported" and in another case wo= rk fine with a type 20 ticket? When you say your sshd is "linked against Heimdal", do you mean the Heimdal from the base system, or a newer version? --=20 You are receiving this mail because: You are the assignee for the bug.=