[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 17 Jan 2023 14:48:44 UTC

--- Comment #54 from Cy Schubert <cy@FreeBSD.org> ---
(In reply to amendlik from comment #53)
My hypothesis is confirmed.

My kdc's keys are encrypted using an older algorithm. I had exported the kdc
and imported it using new keys to update it ~ 15 years ago. It works with
Heimdal 1.5. Your keys in your KDC are encrypted using an algorithm not
supported by Heimdal.

The fix is to replace Heimdal in base with a newer Heimdal -- which I am
working on but a recent git bug is preventing further progress due to recurring
merge conflicts. (We git subtree merge and git rebase reassigns files in
src/crypto/heimdal into src/. This affects all vendor/* code at time of

The other alternative is to install ports/security/openssh-portable built
against ports/security/krb5.

Your two options are to:

1. Wait for Heimdal 7.8.0 to be imported into FreeBSD, sometime this summer or

2. Install openssh-portable with MIT krb5. This must be done using the port
because the binary package is built using the base system heimdal.

You are receiving this mail because:
You are the assignee for the bug.