From owner-freebsd-security@FreeBSD.ORG Mon Feb 13 08:54:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 326ED16A420 for ; Mon, 13 Feb 2006 08:54:02 +0000 (GMT) (envelope-from alex@foxybanana.com) Received: from atlantis.foxybanana.com (foxybanana.com [66.240.239.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id A29BB43D45 for ; Mon, 13 Feb 2006 08:54:01 +0000 (GMT) (envelope-from alex@foxybanana.com) Received: from localhost (localhost [127.0.0.1]) by atlantis.foxybanana.com (Postfix) with ESMTP id 95E9F146154 for ; Mon, 13 Feb 2006 00:53:59 -0800 (PST) Received: from atlantis.foxybanana.com ([127.0.0.1]) by localhost (atlantis.foxybanana.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31509-02 for ; Mon, 13 Feb 2006 00:53:44 -0800 (PST) Received: by atlantis.foxybanana.com (Postfix, from userid 503) id 3A85614618B; Mon, 13 Feb 2006 00:53:41 -0800 (PST) Date: Mon, 13 Feb 2006 00:53:41 -0800 From: Alexander Botero-Lowry To: freebsd-security@freebsd.org Message-ID: <20060213085341.GA6545@atlantis.foxybanana.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: amavisd-new at foxybanana.com X-Spam-Status: No, hits=0 tagged_above=-9999 required=3 tests=[none] X-Spam-Level: X-Mailman-Approved-At: Mon, 13 Feb 2006 12:46:08 +0000 Subject: heimdal and mit incompatability when using GSSAPI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2006 08:54:02 -0000 My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. For example ssh in verbose mode returns: debug2: we sent a gssapi-with-mic packet, wait for reply debug1: A token was invalid Unknown error: 0 when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. Interestingly the tickets are issued even though the authentication fails: [0:49] alex@Laptop: ~> klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: boterola@REED.EDU Issued Expires Principal Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries). Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers? Alex