Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Dec 2022 18:49:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
Message-ID:  <bug-268186-227-75MuAvRUBW@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-268186-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-268186-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186

--- Comment #27 from amendlik@gmail.com ---
(In reply to Cy Schubert from comment #26)
To keep things simple, I have disabled PAM and all authentication methods
except GSSAPI.

PubkeyAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM no

This configuration works fine with an encryption type-18 ticket. If I try it
with a type-20 ticket, it fails with the error: "encryption type 20 not
supported". This behavior is what I would expect, because OpenSSH in the ba=
se
system is linked with Heimdal 1.5.2 which does not support encryption type =
20.
Not only was RFC8009, which defined type-20, written after 1.5.2 was releas=
ed,
but we can look at the FreeBSD source code and see that there is no code to
support encryption type-20
(https://cgit.freebsd.org/src/tree/crypto/heimdal/lib/krb5/crypto-aes.c).

I don't understand how you are getting it to work in your environment. I see
you saying the tickets must be formatted differently by different KDC's, but
that explanation does not make sense to me. How can a type-20 ticket create=
d by
your KDC can be accepted by an OpenSSH server that DOES NOT SUPPORT type-20
tickets, regardless of its format?

That seems like the critical question we need to address. There has to be s=
ome
detail of your environment I am missing. Can you confirm that the OpenSSH
server you are testing with is FreeBSD with OpenSSH from the base system?

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268186-227-75MuAvRUBW>