[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 19 Dec 2022 18:49:27 UTC

--- Comment #27 from amendlik@gmail.com ---
(In reply to Cy Schubert from comment #26)
To keep things simple, I have disabled PAM and all authentication methods
except GSSAPI.

PubkeyAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM no

This configuration works fine with an encryption type-18 ticket. If I try it
with a type-20 ticket, it fails with the error: "encryption type 20 not
supported". This behavior is what I would expect, because OpenSSH in the base
system is linked with Heimdal 1.5.2 which does not support encryption type 20.
Not only was RFC8009, which defined type-20, written after 1.5.2 was released,
but we can look at the FreeBSD source code and see that there is no code to
support encryption type-20

I don't understand how you are getting it to work in your environment. I see
you saying the tickets must be formatted differently by different KDC's, but
that explanation does not make sense to me. How can a type-20 ticket created by
your KDC can be accepted by an OpenSSH server that DOES NOT SUPPORT type-20
tickets, regardless of its format?

That seems like the critical question we need to address. There has to be some
detail of your environment I am missing. Can you confirm that the OpenSSH
server you are testing with is FreeBSD with OpenSSH from the base system?

You are receiving this mail because:
You are the assignee for the bug.