[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.7.1rc2

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: heimdal-0.7.1rc2
From: Andreas Haupt <ahaupt@ifh.de>
Date: Mon, 19 Sep 2005 14:30:31 +0200 (CEST)
Cc: heimdal-discuss@sics.se
In-Reply-To: <Pine.LNX.4.63.0508121020330.19135@fuchur.ifh.de>
References: <amzmroqybo.fsf@nutcracker.it.su.se> <Pine.LNX.4.63.0508120810100.19135@fuchur.ifh.de><amll37poz3.fsf@nutcracker.it.su.se> <Pine.LNX.4.63.0508121020330.19135@fuchur.ifh.de>
Sender: owner-heimdal-discuss@sics.se

Hello again,

unfortunately no one answered my question here. But the problems still 
remain. Even in a complete test environment (kdc version 0.7.1, OpenSSH 
4.2 server and client linked against 0.7.1) gssapi-with-mic authentication 
fails.

There aren't any "correct_des3_mic" or "broken_des3_mic" entries in 
krb5.conf needed, are they? It doesn't change the situation anyway.

There aren't any usable debug message from both, ssh client and server 
except "Failed gssapi-with-mic for ...".

Did someone get OpenSSH with gssapi-with-mic authentication running using 
Heimdal 0.7x? It's working with fine with Heimdal 0.6.

Greetings
Andreas

On Fri, 12 Aug 2005, Andreas Haupt wrote:

> Hello Love,
>
> thanks for your answer. But I still have some problems in understanding.
>
> On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
>
>> 
>> Andreas Haupt <ahaupt@ifh.de> writes:
>> 
>>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>>     running when linked against heimdal 0.7x? When linked against heimdal
>>>     0.6.x everything runs fine. I did not really look deeply at the code
>>>     but it seems to me the function gss_verify_mic does not work properly.
>>>
>>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>> 
>> What encryption type do you use for that principal (klist -v will show 
>> you)?
>> 
>> If you are using des3-cbc-sha1, you should read the COMPATIBILITY section
>> in the gssapi manpage.
>
> Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still running 
> 0.6.3. On my test host OpenSSH is linked against heimdal 0.7. So client and 
> server really should use the correct "GSS-API DES3 mic". Or am I wrong here?
>
> I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf on that 
> test host and even on the kdc. Nothing changed. Only the OpenSSH error 
> message "GSSAPI MIC check failed" went away when krb5.conf was configured 
> like the man page told me. So it seems to have an effect.
>
> Is it better to change the principal key completely (e.g. use another 
> encoding)? Which encoding is the prefered nowadays?
>
> Thanks and greetings
> Andreas
>
> PS: I put this answer on the list again as I think others might run into
>    the same problems.
>
>

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

Follow-Ups:
- Re: heimdal-0.7.1rc2
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: krb5_verify_user_opt failed
Next by Date: Re: heimdal-0.7.1rc2
Prev by thread: pki-mapping
Next by thread: Re: heimdal-0.7.1rc2
Index(es):
- Date
- Thread