[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 19 Dec 2022 18:49:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186 --- Comment #27 from amendlik@gmail.com --- (In reply to Cy Schubert from comment #26) To keep things simple, I have disabled PAM and all authentication methods except GSSAPI. PubkeyAuthentication no ChallengeResponseAuthentication no PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication yes UsePAM no This configuration works fine with an encryption type-18 ticket. If I try it with a type-20 ticket, it fails with the error: "encryption type 20 not supported". This behavior is what I would expect, because OpenSSH in the base system is linked with Heimdal 1.5.2 which does not support encryption type 20. Not only was RFC8009, which defined type-20, written after 1.5.2 was released, but we can look at the FreeBSD source code and see that there is no code to support encryption type-20 (https://cgit.freebsd.org/src/tree/crypto/heimdal/lib/krb5/crypto-aes.c). I don't understand how you are getting it to work in your environment. I see you saying the tickets must be formatted differently by different KDC's, but that explanation does not make sense to me. How can a type-20 ticket created by your KDC can be accepted by an OpenSSH server that DOES NOT SUPPORT type-20 tickets, regardless of its format? That seems like the critical question we need to address. There has to be some detail of your environment I am missing. Can you confirm that the OpenSSH server you are testing with is FreeBSD with OpenSSH from the base system? -- You are receiving this mail because: You are the assignee for the bug.