From nobody Mon Dec 19 23:05:52 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nbb0d1sCYz1G53j for ; Mon, 19 Dec 2022 23:05:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nbb0d0gQMz3MMd for ; Mon, 19 Dec 2022 23:05:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671491153; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xHV5RJZR0JNrGhfq0VOdC9738gcOOcbCgpsjzFMbSz4=; b=cRq1Fz0xTsuCy6w6GtigBpUVGUksmvx0orPRbbJVlb6Ps0LW7yUnGH/qg+jaNxEqC5CrIM DPtKHayQW1sAdljvy2EMvN34p7MuO4QTCGOmG7wgUC4IVM41+EYaHPjZLIlnwaAIKBPGo8 WFYbrjsdEmSmDS6vgIVjEIQgVK151aQQdDGF5qoRM8uS1inNABaZp3/aa6eFHLGct5QCdO Fp3CKHteK/KwY0woORthO5jBL2Nssar8OWXOs9CqdyI6Bjzzw/Y/Uvf+bRdVxEsZg1bGSn bznPQbAi5BajueD9wbcwqB2dxkVEL79M8w1Mddw7gJh7SRL0jOy0rtNuwCFgzA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671491153; a=rsa-sha256; cv=none; b=etvb4asAodsT1Vm+09ZnlI+jRKg/svx4gDV2xz2JB0zsq90TphAQAJFPEWjme4xt2FuuCK boBbsTFV0Am5Ud3LmRTdSAo9UX1ZwIJpUIe3jx2Zh1WonGF/VF9Vso6SUUYxlYHupYNjuz A5R7KkWCI4tRvCpPn39Pj72zIs7OHDslVgm/NJaiNZZdS+L1n7OzVovsCE+r4o/My6rgAE feVKLaZqVInHlcqr4+iAzZoH0Kmet+Vr6ZjGtBm/skSGwJ48vNVLJ4w3lFrufN9J/7Awvl STph7uV8J0oDsXwveEV/WcqPK6mlSoMWe/sxTNsAaV/S8U9Rczcv2obJEJ/qXg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nbb0c6qFdz1CNG for ; Mon, 19 Dec 2022 23:05:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BJN5qpt062629 for ; Mon, 19 Dec 2022 23:05:52 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BJN5qTo062628 for bugs@FreeBSD.org; Mon, 19 Dec 2022 23:05:52 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Date: Mon, 19 Dec 2022 23:05:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 Cy Schubert changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #34 from Cy Schubert --- (In reply to amendlik from comment #33) Yes but if you disable GSSAPI in sshd_config and enable PAM, authentication will be by PAM only. You are misreading their slide to infer that this is b= aked into the code. My patch disables linking of Heimdal libraries into OpenSSH so that it does= not interfere with pam_krb5 from ports or any other PAM module that has external references to MIT KRB5 symbols that can be construed (because they have the same names) by the runtime linker to use the Heimdal library references alr= eady linked into sshd. Please try the attached patch, disable GSSAPI and Kerberos authentication, enable PAM in sshd_config, and restart sshd. I cannot reproduce your problem here with or without the patch though the p= atch does allow me to use pam_krb5 from ports instead of pam_krb5 supplied by the base O/S. As you're a binary package user, let's try to avoid rebuilding anything for now.=20 Looking at your ssh -vvv output, I see, debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr The KEX and ciphers I send are: debug2: local client KEXINIT proposal debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libs= sh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hell= man-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-grou= p18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,e= cdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openss= h.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@o= penssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.= com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521= ,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512= ,rsa-sha2-256 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 What does your Linux /etc/ssh/ssh_config and your Linux ~/.ssh/config look like? On the Linux machine, what is the output of ssh -V ? At the moment I'm not sure you've diagnosed the problem correctly to suggest it's a Kerberos issue. --=20 You are receiving this mail because: You are the assignee for the bug.=