[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openssh + heimdal: real nightmare

To: David Komanek <xdavid@lib-eth.natur.cuni.cz>
Subject: Re: openssh + heimdal: real nightmare
From: Andreas Haupt <ahaupt@ifh.de>
Date: Tue, 27 Jan 2004 08:01:47 +0100 (CET)
Cc: heimdal-discuss@sics.se
In-Reply-To: <Pine.OSF.4.58.0401261619080.204564@lib-eth.natur.cuni.cz>
References: <400F2B59.3070308@zip.com.au> <20040122.100025.08316746.haba@pdc.kth.se><xof65f4ngn5.fsf@blubb.pdc.kth.se> <20040122.210744.34607913.haba@pdc.kth.se><p05210602bc36360a3680@[137.78.212.225]> <amektn84l6.fsf@nutcracker.stacken.kth.se><Pine.OSF.4.58.0401261619080.204564@lib-eth.natur.cuni.cz>
Sender: owner-heimdal-discuss@sics.se

On Mon, 26 Jan 2004, David Komanek wrote:

> debug3:  entering: type 38
> debug3:  entering
> Postponed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2
> debug3:  entering: type 39
> debug3:  entering: type 40
> debug3:  entering
> debug3: : checking request 39
> debug1:  Miscellaneous failure (see text)
> Decrypt integrity check failed
>
> debug1: Got no client credentials
> debug3:  entering: type 40
> debug3:  entering
> Failed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2
>
> Time is in sync. Release versions of openssh and heimdal give the same as
> the latest snapshots. ".k5login" exists with correct info. What's wrong ?

What do you need .k5login for. It's only needed if you want to login as
another user on the remote host.

> I have a few additional questions which answering probably could help me
> to resolve the problem:
>
> 1. In which cases I can get the "Decrypt integrity check failed" message
> from gssapi and where are published hints how to resolve this ?

Maybe the key / key version number doesn't match in the Heimdal database
and /etc/krb5.keytab. Although I believe this would result in another
error message...

> 3. Is there any other other possibility get openssh working with heimdal
> than gssapi (krb4 support in openssh was with no gssapi and everything
> worked fine) ?

With older OpenSSH (pre 3.7) releases you were able to get Kerberos5
authentication with ssh protocol 1 only. It has been replaced by gssapi
which only works with protocol 2.

Greetings
Andreas

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7369
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

References:
- Pending OpenSSH release: contains Kerberos/GSSAPI changes
  - From: Darren Tucker <dtucker@zip.com.au>
- Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
  - From: Harald Barth <haba@pdc.kth.se>
- Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
  - From: Harald Barth <haba@pdc.kth.se>
- Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
  - From: Love <lha@stacken.kth.se>
- openssh + heimdal: real nightmare
  - From: David Komanek <xdavid@lib-eth.natur.cuni.cz>

Prev by Date: Re: [OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
Next by Date: Re: [OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
Prev by thread: openssh + heimdal: real nightmare
Next by thread: Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
Index(es):
- Date
- Thread