From owner-freebsd-questions@FreeBSD.ORG Mon Dec 31 20:07:11 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B77EE16A419 for ; Mon, 31 Dec 2007 20:07:11 +0000 (UTC) (envelope-from jy-p@fixedpointgroup.com) Received: from mail.smartchem.us (mail.smartchem.us [70.227.131.10]) by mx1.freebsd.org (Postfix) with ESMTP id 8802B13C44B for ; Mon, 31 Dec 2007 20:07:11 +0000 (UTC) (envelope-from jy-p@fixedpointgroup.com) Received: from [10.0.0.112] (unknown [10.0.0.112]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.smartchem.us (Postfix) with ESMTP id CC3AA43231 for ; Mon, 31 Dec 2007 14:07:33 -0600 (CST) Message-ID: <47794BED.6090007@fixedpointgroup.com> Date: Mon, 31 Dec 2007 14:07:09 -0600 From: Jacob Yocom-Piatt Organization: Fixed Point Group LLC User-Agent: Mail/News 1.5.0.10 (X11/20070430) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ssh + kerberos: problems w/ -current to openbsd 4.2 KDC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jy-p@fixedpointgroup.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Dec 2007 20:07:11 -0000 have most of the machines here doing ssh authentication via kerberos against a heimdal KDC running openbsd 4.2-release. the freebsd 7.0beta4 host i recently installed will not allow machines to ssh into it using kerberos credentials but it (freebsd host) does successfully get and use tickets from the KDC when [gssapi] correct_des3_mic = host/*@MYDOMAIN.COM is added to /etc/krb5.conf. nothing notable shows up in the KDC logs and the following appears in /var/log/auth.log on the freebsd host: Dec 31 12:46:48 databank1 sshd[24658]: error: ssh_msg_send: write Dec 31 12:50:14 databank1 sshd[24690]: error: ssh_msg_send: write the changes made on the freebsd host to accommodate kerberos authentication were in /etc/ssh/sshd_config and /etc/pam.d/sshd, respectively: KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes auth sufficient pam_krb5.so no_warn try_first_pass account required pam_krb5.so password sufficient pam_krb5.so no_warn try_first_pass where the lines in /etc/pam.d/sshd were simply uncommented and in the original order. debugging outputs from a client trying to ssh into the freebsd host are not very enlightening: ... debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: publickey ... any clues as to what needs to be done to get this to work correctly would be appreciated. cheers, jake --