[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 21 Dec 2022 04:20:43 UTC

--- Comment #40 from Cy Schubert <cy@FreeBSD.org> ---
(In reply to amendlik from comment #39)

I haven't reached any conclusions yet. I don't know if FreeBSD Heimdal is at
fault. It could be. Even if it is there is no quick solution. The progress with
the 7.8.0 project has been slow due to numerous regressions. If I had to guess
I'd say it might be ready by summer 2023. In the mean time we need to find a

Rather than use pam_krb5 from ports (which will require patching openssh with
the attached patch), let's try something less involved. Let's install
openssh-portable-gssapi. (I hadn't realized that openssh-portable was converted
to using flavors instead of static compiled-in options.) This will give me the
same information as patching the base O/S and installing pam_krb5 package. All
we need to do is isolate the problem to FreeBSD or not. This will tell us that.

Let me reiterate that OpenSSH 7.8.0 is far from ready to import into FreeBSD.
There are too many regressions that need to be addressed first (like ftpd
allowing logins from Kerberos accounts with incorrect password when no TGT is
presented). The reason for this are two shims created years ago to translate
tickets call Heimdal functions that have radically changed. Functions that no
longer take tickets as arguments, taking principals instead. Something is lost
in the translation. You can understand why this is taking as long as it is.

You are receiving this mail because:
You are the assignee for the bug.