[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heimdal 1.1 and OpenSSH 5.0 for SSO : GSSAPI Problems

Hi,

I've GSSAPI mech problem with Heimdal 1.1 / Arla 0.91-pre and OpenSSH 
5.0 on FreeBSD 7.0 (RELEASE).

What I've done :

# tar -xzf heimdal-1.1.tar.gz
# cd heimdal-1.1
# ./configure --prefix=/usr/heimdal (default, I know)
# make && make install

and

# checkout arla
# reconfigure
# cd arla-0.91
# ./configure --prefix=/usr/arla-0.91 --sysconfdir=/etc/afs 
--with-krb5=/usr/heimdal
# make && make install

and

# tar -xzf openssh-5.0p1.tar.gz
# cd openssh-5.0p1
# wget 
http://www.sxw.org.uk/computing/patches/openssh-5.0p1-gsskex-20080404.patch
# patch -p1 < openssh-5.0p1-gsskex-20080404.patch
# ./configure --prefix=/usr --sysconfdir=/etc/ssh 
--with-kerberos5=/usr/heimdal --enable-kerberos-tgt-passing (I want to 
replace system's default)
# make && make install

I set sshd_config :
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes

and ssh_config:
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIKeyExchange yes
  GSSAPITrustDNS yes


And  also I put my krb5.conf in /etc :
[appdefaults]
       forwardable = true
       proxiable = true
       no-addresses = true
       ticket_lifetime = 86400
       renew_lifetime = 604800
       encrypt = true
       forward = true

[libdefaults]
       default_realm = EPITECH.NET
       clockskew = 600
       kdc_timeout = 1
       default_cc_name = /tmp/krb5cc_%{uid}
       kdc_timesync = true
       max_retries = 1
       ticket_lifetime = 86400
       renew_lifetime = 604800
       forwardable = true
       proxiable = true

[domain_realm]
       ig-iit.com = EPITECH.NET
       epitech.net = EPITECH.NET
       epitech.eu = EPITECH.NET
       epita.fr = EPITECH.NET

[realms]
       EPITECH.NET = {
                   kdc = kdc.epitech.net
                   admin_server = kdc.epitech.net
                   default_domain = kdc.epitech.net
                   kpasswd_server = kdc.epitech.net
       }

[domain_realm]
       ig-iit.com = EPITECH.NET
       .ig-iit.com = EPITECH.NET
       epitech.net = EPITECH.NET
       .epitech.net = EPITECH.NET
       epitech.eu = EPITECH.NET
       .epitech.eu = EPITECH.NET
       epita.fr = EPITECH.NET
       .epita.fr = EPITECH.NET

Now everithing seems working well :

# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
# /etc/rc.d/sshd start
Starting sshd.
# /usr/arla/sbin/startarla (looks good)
# kinit millet_a
# klist
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: millet_a@EPITECH.NET

 Issued           Expires          Principal
Jul  3 11:52:05  Jul  4 11:52:06  krbtgt/EPITECH.NET@EPITECH.NET
Jul  3 11:52:05  Jul  4 11:52:06  afs@EPITECH.NET

Now I want to ssh on 2 remote host :
# ssh millet_a@ackbar
Connection closed by 10.42.20.1
# ssh -v millet_a@ackbar
OpenSSH_5.0p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ackbar [10.42.20.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug1:  Miscellaneous failure (see text)
*unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10*
debug1: Offering GSSAPI proposal: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g== 

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Doing group exchange
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Connection closed by 10.42.20.1
# kdestroy
# ssh millet_a@ackbar
millet_a@ackbar's password: ********** (work well)
(millet_a@ackbar 2622) ssh amidal
Connection closed by 10.42.20.2
(millet_a@ackbar 2622) ssh -v amidal
OpenSSH_5.0p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to amidal [10.42.20.2] port 22.
debug1: Connection established.
debug1: identity file /u/epitech_2009/millet_a/cu/.ssh/identity type -1
debug1: identity file /u/epitech_2009/millet_a/cu/.ssh/id_rsa type -1
debug1: identity file /u/epitech_2009/millet_a/cu/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug1:  Miscellaneous failure (see text)
*unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10*
debug1: Offering GSSAPI proposal: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g== 

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Doing group exchange
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Connection closed by 10.42.20.2

I want SSO in my school, last years I worked with FreeBSB 5.5 with 
OpenSSH4.7, Arla 0.93 and Heimdal 1.0.

I find this gss message in:
lib/gssapi/krb5/display_status.c
lib/gssapi/mech/gss_display_status.c

Has someone an Idee where's the problems, google isn't very helpfull.

Thanks a lot.

-- 
Antoine MILLET