[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
heimdal and cybersafe compatibility
I am trying to get a Kerberized version of OpenSSH working in the cygwin
environment under Windows. Our KDC is a CyberSAFE implementation.
I have been able to build the heimdal source in the cygwin environment with
a little tweaking and have gotten OpenSSH to build against the heimdal
libraries with few modifications. I have been able to get a TGT using the
kinit that comes with the heimdal release. However, when I try to connect
to a server using Kerberos authentication in ssh, I run into a few problems:
1) By default, the connection to the KDC tries to connect via UDP and fails.
It appears that the connection happens, but no data is sent back from the
KDC (length == 0). I have modified the code to force a connetion over TCP
and it seems to work fine (connection is created and data sent back, though
I haven't peeked at it yet). Is there a way to specify this via a runtime
configuration option rather than hard coding it? The option will need to be
available to the library itself since it will be called from OpenSSH.
2) After forcing the TCP connection, the client seems to be unable to parse
the reply correctly. Doing a bit of debugging, I have found that the
checksums of the data don't match (CRC32). Does anyone know whether
CyberSAFE and Heimdal compute checksums differently? I would think that if
I can get a TGT from the KDC, a session ticket should be fine, too.
3) If I try to force the verification to return without errors, I get an
asn1 parsing error that I've tracked down to the decode_EncTGSRepPart and
decode_EncASRepPart functions. I'm under the assumption that the data isn't
getting parsed correctly in the first place, which is perhaps why item 2) is
happening. Any ideas?
Any help would be appreciated. I'm new to the list so let me know if this
has been discussed before. I didn't see a mail archive for this list and I
haven't been able to track down any useful information on the web or in
newsgroups.
Best Regards.
-brahm