[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 19 Dec 2022 23:05:52 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186

Cy Schubert <cy@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open

--- Comment #34 from Cy Schubert <cy@FreeBSD.org> ---
(In reply to amendlik from comment #33)
Yes but if you disable GSSAPI in sshd_config and enable PAM, authentication
will be by PAM only. You are misreading their slide to infer that this is baked
into the code.

My patch disables linking of Heimdal libraries into OpenSSH so that it does not
interfere with pam_krb5 from ports or any other PAM module that has external
references to MIT KRB5 symbols that can be construed (because they have the
same names) by the runtime linker to use the Heimdal library references already
linked into sshd.

Please try the attached patch, disable GSSAPI and Kerberos authentication,
enable PAM in sshd_config, and restart sshd.

I cannot reproduce your problem here with or without the patch though the patch
does allow me to use pam_krb5 from ports instead of pam_krb5 supplied by the
base O/S.

As you're a binary package user, let's try to avoid rebuilding anything for
now. 

Looking at your ssh -vvv output, I see,

debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr

The KEX and ciphers I send are:

debug2: local client KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

What does your Linux /etc/ssh/ssh_config and your Linux ~/.ssh/config look
like?

On the Linux machine, what is the output of ssh -V ?

At the moment I'm not sure you've diagnosed the problem correctly to suggest
it's a Kerberos issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.