Date: Mon, 19 Dec 2022 23:05:52 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Message-ID: <bug-268186-227-qLK9wP7j1z@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-268186-227@https.bugs.freebsd.org/bugzilla/> References: <bug-268186-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 Cy Schubert <cy@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #34 from Cy Schubert <cy@FreeBSD.org> --- (In reply to amendlik from comment #33) Yes but if you disable GSSAPI in sshd_config and enable PAM, authentication will be by PAM only. You are misreading their slide to infer that this is b= aked into the code. My patch disables linking of Heimdal libraries into OpenSSH so that it does= not interfere with pam_krb5 from ports or any other PAM module that has external references to MIT KRB5 symbols that can be construed (because they have the same names) by the runtime linker to use the Heimdal library references alr= eady linked into sshd. Please try the attached patch, disable GSSAPI and Kerberos authentication, enable PAM in sshd_config, and restart sshd. I cannot reproduce your problem here with or without the patch though the p= atch does allow me to use pam_krb5 from ports instead of pam_krb5 supplied by the base O/S. As you're a binary package user, let's try to avoid rebuilding anything for now.=20 Looking at your ssh -vvv output, I see, debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr The KEX and ciphers I send are: debug2: local client KEXINIT proposal debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libs= sh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hell= man-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-grou= p18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,e= cdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openss= h.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@o= penssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.= com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521= ,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512= ,rsa-sha2-256 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 What does your Linux /etc/ssh/ssh_config and your Linux ~/.ssh/config look like? On the Linux machine, what is the output of ssh -V ? At the moment I'm not sure you've diagnosed the problem correctly to suggest it's a Kerberos issue. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268186-227-qLK9wP7j1z>