From owner-freebsd-stable@FreeBSD.ORG Fri Oct 2 04:16:41 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B726B106566B for ; Fri, 2 Oct 2009 04:16:41 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id 4D3B58FC0C for ; Fri, 2 Oct 2009 04:16:40 +0000 (UTC) Received: from rwpc12.mby.riverwillow.net.au (rwpc12.mby.riverwillow.net.au [172.25.24.168]) (authenticated bits=0) by mail1.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n924Gbfs009710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 2 Oct 2009 14:16:38 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1254456998; bh=9zKI4/AcC7zuSSrwQct9LplmddFfsV3oYL5uULeavkg=; h=Date:From:To:Subject:Message-ID:References:Mime-Version: Content-Type:In-Reply-To; b=avmyMpyTwVcTzqBeEUBy8+qXhJRcxmkGLMzyhjNly4mmMnOQLCKvX7kNySM8UAA6O YGf9T7ZqxSVmceITM2fCbubysIxxmoqZuiTNrGqhVuHsF8w5pS9X/uMTtS0lRWMKvL U2hf1UvBRVqgoEyuuEnvIsT4N7xbeB0/0MSXnhfw= Received: from rwpc12.mby.riverwillow.net.au (localhost [127.0.0.1]) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n924GaNd057928 for ; Fri, 2 Oct 2009 14:16:36 +1000 (AEST) (envelope-from john.marshall@riverwillow.com.au) Received: (from john@localhost) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3/Submit) id n924GZIc057927 for freebsd-stable@freebsd.org; Fri, 2 Oct 2009 14:16:35 +1000 (AEST) (envelope-from john) Date: Fri, 2 Oct 2009 14:16:35 +1000 From: John Marshall To: freebsd-stable@freebsd.org Message-ID: <20091002041635.GH37304@rwpc12.mby.riverwillow.net.au> Mail-Followup-To: freebsd-stable@freebsd.org References: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="R3G7APHDIzY6R/pk" Content-Disposition: inline In-Reply-To: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au> User-Agent: Mutt/1.4.2.3i OpenPGP: id=A29A84A2; url=http://pki.riverwillow.net.au/pgp/johnmarshall.asc Subject: Re: [SOLVED] sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 04:16:41 -0000 --R3G7APHDIzY6R/pk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Apologies for including all of OP - but it was 3 months ago and provides necessary context. See solution below OP. On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote: > I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to > 8.0-BETA1 this morning. I use GSSAPI as the primary authentication > method for sshd on that server. After the upgrade GSSAPI authentication > stopped working and I can't get enough information to figure out why. > Perhaps the newer version of Heimdal behaves differently? Perhaps the > newer version of sshd behaves differently? >=20 > If I run sshd with debug "-ddd" I see the following: >=20 > debug1: attempt 1 failures 0 > debug2: input_userauth_request: try method gssapi-with-mic > debug3: mm_request_send entering: type 37 > debug3: mm_request_receive_expect entering: type 38 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 37 > debug3: mm_request_send entering: type 38 > debug3: mm_request_receive entering > Postponed gssapi-with-mic for john from 192.0.2.123 port 57225 ssh2 > debug3: mm_request_send entering: type 39 > debug3: mm_request_receive_expect entering: type 40 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 39 > debug1: Received some client credentials > debug3: mm_request_send entering: type 40 > debug3: mm_request_receive entering > debug3: mm_request_send entering: type 43 > debug3: mm_request_receive_expect entering: type 44 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 43 > debug3: mm_request_send entering: type 44 > debug3: mm_request_receive entering > GSSAPI MIC check failed >=20 > On the client side (with ssh -vvv) I see: >=20 > debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Authentications that can continue: publickey,gssapi-with-mic,keyb= oard-interactive > debug2: we did not send a packet, disable method >=20 > Does anybody know of changes between existing STABLE releases and 8.0 > which would cause this behaviour - and how to accommodate it? Do any > strange Kerberos things need to be done as part of the upgrade? >=20 > The client still happily authenticates via GSSAPI to sshd on our other > 7.2-RELEASE servers. Subsequent authentication methods succeed on the > 8.0-BETA1 sshd server, it's just GSSAPI that isn't working. With help from Jim Basney on the OpenSSH-dev mailing list, I was able to determine that the gssapi error underlying the sshd debug message "GSSAPI MIC check failed" was GSS_S_BAD_SIG (GSS_S_BAD_MIC). That proved that it was a Kerberos problem but didn't give me any clue as to why a FreeBSD 8.0 server would regard as BAD signatures that were happily validated on FreeBSD 7.2 servers. I am indebted to David P. Discher for discovering this solution. The problem is related to the difference in Heimdal Kerberos versions shipped with FreeBSD 7.2 and 8.0. FreeBSD 7.2 --> Heimdal 0.6.3 FreeBSD 8.0 --> Heimdal 1.1.0 - FreeBSD 7.2 Kerberos includes a broken-by-default gssapi-with-mic. - FreeBSD 8.0 Kerberos includes a correct gssapi-with-mic. FreeBSD 8.0 Kerberos doesn't understand the message produced by the FreeBSD 7.2 Kerberos broken gssapi-with-mic. Fortunately Heimdal 0.6 understands messages produced by both the broken and correct gssapi-with-mic AND provides a switch to enable use of the correct gssapi-with-mic. So, in order to produce messages which can be processed by FreeBSD 8.0 Kerberos, FreeBSD 7.2 machines must add entries like the following to their /etc/krb5.conf [gssapi] correct_des3_mic =3D host/my.freebsd8.server@MY.REALM correct_des3_mic =3D host/myother.freebsd8.server@MY.REALM Wildcards can also be used, so as long as none of your machines use a version of Heimdal earlier then 0.6, you can do something like: [gssapi] correct_des3_mic =3D host/* Note that the Heimdal 0.6.3 verify_krb5_conf utility doesn't know about the [gssapi] section and will flag it as an error. For a full description of the broken/correct gssapi-with-mic issue, see the COMPATIBILITY section of the Heimdal 0.6.3 gssapi(3) man page shipped with (but not installed on) FreeBSD 7.2 /usr/src/crypto/heimdal/lib/gssapi/gssapi.3: $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ --=20 John Marshall --R3G7APHDIzY6R/pk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkrFfqMACgkQw/tAaKKahKIFCACgxygMSupLJLpWY7QaoCtQv5hl t6YAnjMat0vZgMU7ORAs5NK+4eRTNs1n =UodI -----END PGP SIGNATURE----- --R3G7APHDIzY6R/pk--