From owner-freebsd-stable@FreeBSD.ORG Wed Jul 8 09:07:09 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4FC9106564A for ; Wed, 8 Jul 2009 09:07:09 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id 453388FC14 for ; Wed, 8 Jul 2009 09:07:08 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from rwpc12.mby.riverwillow.net.au (rwpc12.mby.riverwillow.net.au [172.25.24.168]) (authenticated bits=0) by mail1.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n688q311079376 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 8 Jul 2009 18:52:03 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1247043123; bh=v1uuv6a7iDQtoO9+4SUzHIp9eP9WDGhoU/qpbd6kxJw=; h=Date:From:To:Subject:Message-ID:Mime-Version:Content-Type; b=VICxM9TtfY3NyqqLcupQo3gTj1ZsYrsCRKGWM1mfWiF7wYPOxU5Qd8twwD5YguvQB rLdx5sdsbBz9r4yzGar55ZcZOdvuSSN0WqvjDwY6Q2BDmfMLwcX+VdVGOFbeK7Zmbw 1dG38TbSRFJM+CTXEGU7MI9YoeSvsW8+JbDlEnNs= Received: from rwpc12.mby.riverwillow.net.au (localhost [127.0.0.1]) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n688q3J8023143 for ; Wed, 8 Jul 2009 18:52:03 +1000 (AEST) (envelope-from john.marshall@riverwillow.com.au) Received: (from john@localhost) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3/Submit) id n688q3vR023142 for freebsd-stable@freebsd.org; Wed, 8 Jul 2009 18:52:03 +1000 (AEST) (envelope-from john) Date: Wed, 8 Jul 2009 18:52:02 +1000 From: John Marshall To: freebsd-stable@freebsd.org Message-ID: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au> Mail-Followup-To: freebsd-stable@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zCKi3GIZzVBPywwA" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i OpenPGP: id=A29A84A2; url=http://pki.riverwillow.net.au/pgp/johnmarshall.asc Subject: sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 09:07:10 -0000 --zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to 8.0-BETA1 this morning. I use GSSAPI as the primary authentication method for sshd on that server. After the upgrade GSSAPI authentication stopped working and I can't get enough information to figure out why. Perhaps the newer version of Heimdal behaves differently? Perhaps the newer version of sshd behaves differently? If I run sshd with debug "-ddd" I see the following: debug1: attempt 1 failures 0 debug2: input_userauth_request: try method gssapi-with-mic debug3: mm_request_send entering: type 37 debug3: mm_request_receive_expect entering: type 38 debug3: mm_request_receive entering debug3: monitor_read: checking request 37 debug3: mm_request_send entering: type 38 debug3: mm_request_receive entering Postponed gssapi-with-mic for john from 192.0.2.123 port 57225 ssh2 debug3: mm_request_send entering: type 39 debug3: mm_request_receive_expect entering: type 40 debug3: mm_request_receive entering debug3: monitor_read: checking request 39 debug1: Received some client credentials debug3: mm_request_send entering: type 40 debug3: mm_request_receive entering debug3: mm_request_send entering: type 43 debug3: mm_request_receive_expect entering: type 44 debug3: mm_request_receive entering debug3: monitor_read: checking request 43 debug3: mm_request_send entering: type 44 debug3: mm_request_receive entering GSSAPI MIC check failed On the client side (with ssh -vvv) I see: debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboa= rd-interactive debug2: we did not send a packet, disable method Does anybody know of changes between existing STABLE releases and 8.0 which would cause this behaviour - and how to accommodate it? Do any strange Kerberos things need to be done as part of the upgrade? The client still happily authenticates via GSSAPI to sshd on our other 7.2-RELEASE servers. Subsequent authentication methods succeed on the 8.0-BETA1 sshd server, it's just GSSAPI that isn't working. Thanks. --=20 John Marshall --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkpUXjIACgkQw/tAaKKahKLQ3gCgvkdI2Wv2wGVCQ+C3IRW9SWXZ G1YAn1A73RWRibiy9hLOce42xGYTZM3R =b+RH -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA--