From owner-freebsd-security@FreeBSD.ORG  Mon Feb 13 08:54:02 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 326ED16A420
	for <freebsd-security@freebsd.org>;
	Mon, 13 Feb 2006 08:54:02 +0000 (GMT)
	(envelope-from alex@foxybanana.com)
Received: from atlantis.foxybanana.com (foxybanana.com [66.240.239.24])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A29BB43D45
	for <freebsd-security@freebsd.org>;
	Mon, 13 Feb 2006 08:54:01 +0000 (GMT)
	(envelope-from alex@foxybanana.com)
Received: from localhost (localhost [127.0.0.1])
	by atlantis.foxybanana.com (Postfix) with ESMTP id 95E9F146154
	for <freebsd-security@freebsd.org>;
	Mon, 13 Feb 2006 00:53:59 -0800 (PST)
Received: from atlantis.foxybanana.com ([127.0.0.1])
	by localhost (atlantis.foxybanana.com [127.0.0.1]) (amavisd-new,
	port 10024) with LMTP id 31509-02 for <freebsd-security@freebsd.org>;
	Mon, 13 Feb 2006 00:53:44 -0800 (PST)
Received: by atlantis.foxybanana.com (Postfix, from userid 503)
	id 3A85614618B; Mon, 13 Feb 2006 00:53:41 -0800 (PST)
Date: Mon, 13 Feb 2006 00:53:41 -0800
From: Alexander Botero-Lowry <alex@foxybanana.com>
To: freebsd-security@freebsd.org
Message-ID: <20060213085341.GA6545@atlantis.foxybanana.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: amavisd-new at foxybanana.com
X-Spam-Status: No, hits=0 tagged_above=-9999 required=3 tests=[none]
X-Spam-Level: 
X-Mailman-Approved-At: Mon, 13 Feb 2006 12:46:08 +0000
Subject: heimdal and mit incompatability when using GSSAPI
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2006 08:54:02 -0000

My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. 

The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.

For example ssh in verbose mode returns:

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1:  A token was invalid
Unknown error: 0

when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. 

Interestingly the tickets are issued even though the authentication fails:

[0:49] alex@Laptop: ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: boterola@REED.EDU

  Issued           Expires          Principal                  
Feb 13 00:22:56  Feb 13 07:02:46  krbtgt/REED.EDU@REED.EDU     
Feb 13 00:38:54  Feb 13 07:02:46  host/oberon.reed.edu@REED.EDU


I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).

Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?

Alex 

From owner-freebsd-security@FreeBSD.ORG  Mon Feb 13 18:14:26 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1013A16A420;
	Mon, 13 Feb 2006 18:14:26 +0000 (GMT)
	(envelope-from Cy.Schubert@komquats.com)
Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net
	[24.108.150.239])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 64D2243D5D;
	Mon, 13 Feb 2006 18:14:25 +0000 (GMT)
	(envelope-from Cy.Schubert@komquats.com)
Received: from cwsys.cwsent.com (cwsys [10.1.1.1])
	by spqr.komquats.com (Postfix) with ESMTP id 593FA4C5C5;
	Mon, 13 Feb 2006 10:14:23 -0800 (PST)
Received: from cwsys (localhost [127.0.0.1])
	by cwsys.cwsent.com (8.13.4/8.13.4) with ESMTP id k1DIELkn058489;
	Mon, 13 Feb 2006 10:14:21 -0800 (PST)
	(envelope-from Cy.Schubert@komquats.com)
Message-Id: <200602131814.k1DIELkn058489@cwsys.cwsent.com>
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.0.4
From: Cy Schubert <Cy.Schubert@komquats.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.komquats.com/
To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 13 Feb 2006 10:14:21 -0800
Sender: Cy.Schubert@komquats.com
Cc: 
Subject: Upcoming Tripwire Port Upgrade
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Cy Schubert <Cy.Schubert@komquats.com>
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2006 18:14:26 -0000

I have an updated tripwire port which I'd like to release for testing prior 
to replacing the existing and currently broken tripwire port. I've tested 
it under the upcoming 6.1, which it seems to work well in my test 
environment and will commence testing under 4.11-STABLE, the upcoming 5.5, 
and 7.0-CURRENT.

The things that are on my todo list are:

- Fully test under 4.11-STABLE.

- Fully test under 5.5-*.

- Implement it into production in my 6.1-* environments (just prior to
  committing it).

- Fully test under 7.0-CURRENT.

- The pkg-plist appears to be correct though I do want to test that
  piece a little more rigorously.

- The database build is currently part of the port post-install however
  I want to move that part of the install into the package install
  so that this port can be distributed via binary package as well.

- Finally when all is done, commit it before the February 20 ports change
  freeze.

Any and all testing would be greatly appreciated.

A copy of the port can be found at http://komquats.com/~cy/tripwire-port-060
213.tar.bz2.


Cheers,
Cy Schubert <Cy.Schubert@komquats.com>
Web:  http://www.komquats.com and http://www.bcbodybuilder.com
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
BC Government:  <Cy.Schubert@gov.bc.ca>

    "Lift long enough and I believe arrogance is replaced by
    humility and fear by courage and selfishness by generosity
    and rudeness by compassion and caring."
        -- Dave Draper




From owner-freebsd-security@FreeBSD.ORG  Thu Feb 16 18:24:36 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A995E16A420
	for <freebsd-security@freebsd.org>;
	Thu, 16 Feb 2006 18:24:36 +0000 (GMT) (envelope-from bsam@ipt.ru)
Received: from mail.ipt.ru (mail.ipt.ru [80.253.10.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C72343D45
	for <freebsd-security@freebsd.org>;
	Thu, 16 Feb 2006 18:24:35 +0000 (GMT) (envelope-from bsam@ipt.ru)
Received: from doc.sem.ipt.ru ([192.168.12.1] helo=srv.sem.ipt.ru)
	by mail.ipt.ru with esmtp (Exim 4.54 (FreeBSD))
	id 1F9nnq-000NBc-HH; Thu, 16 Feb 2006 21:24:30 +0300
Received: from bsam by srv.sem.ipt.ru with local (Exim 4.60 (FreeBSD))
	(envelope-from <bsam@ipt.ru>)
	id 1F9nmE-0002Qo-R1; Thu, 16 Feb 2006 21:22:50 +0300
To: Alexander Botero-Lowry <alex@foxybanana.com>
References: <20060213085341.GA6545@atlantis.foxybanana.com>
From: Boris Samorodov <bsam@ipt.ru>
Date: Thu, 16 Feb 2006 21:22:50 +0300
In-Reply-To: <20060213085341.GA6545@atlantis.foxybanana.com> (Alexander
	Botero-Lowry's message of "Mon, 13 Feb 2006 00:53:41 -0800")
Message-ID: <61710261@srv.sem.ipt.ru>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: freebsd-security@freebsd.org
Subject: Re: heimdal and mit incompatability when using GSSAPI
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2006 18:24:36 -0000

On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote:

> My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. 

> The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi.

Which version of FreeBSD and Heimdal are you using?

> For example ssh in verbose mode returns:

> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1:  A token was invalid
> Unknown error: 0

man krb.conf may give some clue to heimdal kerberos to be more
MIT-compatible.

> when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. 

> Interestingly the tickets are issued even though the authentication fails:

> [0:49] alex@Laptop: ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
>         Principal: boterola@REED.EDU

>   Issued           Expires          Principal                  
> Feb 13 00:22:56  Feb 13 07:02:46  krbtgt/REED.EDU@REED.EDU     
> Feb 13 00:38:54  Feb 13 07:02:46  host/oberon.reed.edu@REED.EDU

How and when did you get krbtgt? Did you use kinit? (man kinit may
help a little)

> I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries).

Under Linux OS? I didn't find any linux-thunderbird at the ports tree.

> Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers?

Well, imo before using GSSAPI you may ensure that kerberos itself is
working (ie what i've written above).


WBR
-- 
Boris B. Samorodov, Research Engineer
InPharmTech Co,     http://www.ipt.ru
Telephone & Internet Service Provider