Date: Fri, 16 Dec 2022 20:50:11 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Message-ID: <bug-268186-227-Nks6euhKUp@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-268186-227@https.bugs.freebsd.org/bugzilla/> References: <bug-268186-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 --- Comment #25 from amendlik@gmail.com --- (In reply to Cy Schubert from comment #24) I've done some reading on the FreeIPA client (which would be the server run= ning sshd) setup and learned that PAM is only used for password authentication. Kerberos authentication is supposed to be handled by GSSAPI. So I don't bel= ieve your patch will help in this case. That should take PAM out of the flow and bring us back to what I believe is= the root issue: that FreeBSD sshd reports that it cannot handle a type 20 ticke= t. I see you saying that "FreeBSD OpenSSH server linked against Heimdal also works", but I'm still struggling to understand that. You seem to be saying = that a type 20 ticket will be accepted if that ticket was generated by a FreeBSD= /MIT KDC, but if it was generated by a FreeIPA/MIT KDC, it will report "encrypti= on type 20 not supported". Can you help me understand this apparent contradiction? How does the same FreeBSD sshd in one case say "type 20 not supported" and in another case wo= rk fine with a type 20 ticket? When you say your sshd is "linked against Heimdal", do you mean the Heimdal from the base system, or a newer version? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268186-227-Nks6euhKUp>