From owner-freebsd-questions@FreeBSD.ORG Thu Jun 30 11:03:59 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8220616A41F for ; Thu, 30 Jun 2005 11:03:59 +0000 (GMT) (envelope-from freebsd@jonze.com) Received: from dogstar.jonze.com (dogstar.jonze.com [81.168.80.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D064B43D48 for ; Thu, 30 Jun 2005 11:03:58 +0000 (GMT) (envelope-from freebsd@jonze.com) Received: from dogstar.jonze.com (localhost [127.0.0.1]) by dogstar.jonze.com (8.13.3/8.13.3) with ESMTP id j5UB3v2Z033002 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 30 Jun 2005 12:03:57 +0100 (BST) (envelope-from freebsd@jonze.com) Received: (from richard@localhost) by dogstar.jonze.com (8.13.3/8.13.3/Submit) id j5UB3vhY033001 for freebsd-questions@freebsd.org; Thu, 30 Jun 2005 12:03:57 +0100 (BST) (envelope-from freebsd@jonze.com) Date: Thu, 30 Jun 2005 12:03:56 +0100 From: Richard Jones To: freebsd-questions@freebsd.org Message-ID: <20050630110356.GA32936@dogstar.jonze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: ClamAV version 0.85.1, clamav-milter version 0.85 on dogstar.jonze.com X-Virus-Status: Clean Subject: OpenSSH, Kerberos and RedHat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 11:03:59 -0000 Hi, I'm trying to get OpenSSH with Kerberos5/GSSAPI authentication up and running in an heterogenous environment, but having problems. I'm running a vanilla FreeBSD-5.4p1 box as the KDC. I have another FreeBSD-5.4 box, and a RedHat ES3 box running as a test client/server. kinit works fine on both boxes. PuTTY patched with Kerberos support works fine as a client to both boxes (and obviously has no problems with the KDC). Each box can negociate a login to itself However neither can talk to the other. I first recompiled the stock RedHat OpenSSH with the "gss" tag change to allow it to compile against GSSAPI. However this did not work, I believe, as this was an older package patched to provide gssapi, and not the newer gssapi-with-mic. This did not work. So I tried a more recent RPM: openssh-3.9p1-8.0.2.src.rpm compiled with the tag change to use gssapi-with-mic. Server: Connection from 10.1.0.112 port 54409 debug1: Client protocol version 2.0; client software version OpenSSH 57:41 redhat sshd[844]: debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.9p1 debug1: Received some client credentials debug1: temporarily_use_uid: 504/504 (e=0/0) debug1: trying public key file /home/richard/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 504/504 (e=0/0) debug1: trying public key file /home/richard/.ssh/authorized_keys2 debug1: restore_uid: 0/0 debug1: do_cleanup Client: OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to redhat.digitalrum.net [10.1.0.83] port 23. debug1: Connection established. debug1: identity file /usr/local/home/richard/.ssh/id_rsa type 1 debug1: identity file /usr/local/home/richard/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'redhat.digitalrum.net' is known and matches the DSA host key. debug1: Found key in /usr/local/home/richard/.ssh/known_hosts:79 debug1: ssh_dss_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,keyboard-interactive). Can anyone help? I thought it may be a Kerberos flavour mismatch; RedHat is compiled against MIT, and FreeBSD against Heimdal. I tried recompiling FreeBSD's openssh-portable against MIT Kerberos, but it failed to build with a slew of GSSAPI errors. Regards, Richard -- Richard Jones MSN: msn.co.uk@jonze.com Y!M: rwkjones http://www.jonze.com