[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

openssh + heimdal: real nightmare




Hi all,

for months I am trying to do with heimdal the same I had previously with
krb4 in a few days and still do not know, why ....

consider the following:

host A is running
   - heimdal kdc + kadmind + passwdd

host B is running
   - sshd with gssapi and krb5 support enabled

host C is running
   - ssh with gssapi and krb5 support enabled

On host C I issue kinit to get the uyser ticket - it well connects to host
A kdc and gets ticket. So far it works.

Then I issue ssh from C to B and I expect it verifies by A I will be
logged in through gssapi to the host B. This does not happen. But this
does not happen. The opensshd debug sounds like

debug3:  entering: type 38
debug3:  entering
Postponed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2
debug3:  entering: type 39
debug3:  entering: type 40
debug3:  entering
debug3: : checking request 39
debug1:  Miscellaneous failure (see text)
Decrypt integrity check failed

debug1: Got no client credentials
debug3:  entering: type 40
debug3:  entering
Failed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2


Time is in sync. Release versions of openssh and heimdal give the same as
the latest snapshots. ".k5login" exists with correct info. What's wrong ?

I have a few additional questions which answering probably could help me
to resolve the problem:

1. In which cases I can get the "Decrypt integrity check failed" message
from gssapi and where are published hints how to resolve this ?

2. Am I allowed to use openssh with openssl and heimdal with indernal des
routines only (--with-openssl=no) ?

3. Is there any other other possibility get openssh working with heimdal
than gssapi (krb4 support in openssh was with no gssapi and everything
worked fine) ?

Thanks in advance.

Sincerely,

  David Komanek