From owner-freebsd-current@FreeBSD.ORG Tue Jul 14 14:32:04 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E604F1065675 for ; Tue, 14 Jul 2009 14:32:04 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 98B898FC13 for ; Tue, 14 Jul 2009 14:32:04 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAL8zXEqDaFvJ/2dsb2JhbADQTYQIBYE9 X-IronPort-AV: E=Sophos;i="4.42,397,1243828800"; d="scan'208";a="41170291" Received: from ganges.cs.uoguelph.ca ([131.104.91.201]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 14 Jul 2009 10:32:03 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by ganges.cs.uoguelph.ca (Postfix) with ESMTP id 8C845FB809B; Tue, 14 Jul 2009 10:32:03 -0400 (EDT) X-Virus-Scanned: amavisd-new at ganges.cs.uoguelph.ca Received: from ganges.cs.uoguelph.ca ([127.0.0.1]) by localhost (ganges.cs.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUex+srvOsNC; Tue, 14 Jul 2009 10:32:02 -0400 (EDT) Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102]) by ganges.cs.uoguelph.ca (Postfix) with ESMTP id 67E17FB8099; Tue, 14 Jul 2009 10:32:02 -0400 (EDT) Received: from localhost (rmacklem@localhost) by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id n6EEYsQ05512; Tue, 14 Jul 2009 10:34:54 -0400 (EDT) X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing -bs Date: Tue, 14 Jul 2009 10:34:54 -0400 (EDT) From: Rick Macklem X-X-Sender: rmacklem@muncher.cs.uoguelph.ca To: John Marshall In-Reply-To: <20090714053357.GH982@rwpc12.mby.riverwillow.net.au> Message-ID: References: <20090708085202.GS1025@rwpc12.mby.riverwillow.net.au> <20090714053357.GH982@rwpc12.mby.riverwillow.net.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@freebsd.org Subject: Re: sshd GSSAPIAuthentication broken after 8.0-BETA1 upgrade X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 14:32:05 -0000 On Tue, 14 Jul 2009, John Marshall wrote: > Zero interest on -stable after 1 week. Trying -current. > > On Wed, 08 Jul 2009, 18:52 +1000, John Marshall wrote: >> I source upgraded a (test) server here (i386) from 7.2-RELEASE-p2 to >> 8.0-BETA1 this morning. I use GSSAPI as the primary authentication >> method for sshd on that server. After the upgrade GSSAPI authentication >> stopped working and I can't get enough information to figure out why. >> Perhaps the newer version of Heimdal behaves differently? Perhaps the >> newer version of sshd behaves differently? >> I'm a Kerberos weenie, so don't expect this to help, but I know what it's like when it doesn't work. Here's some things I've had luck with when trying to get the gssapi to work in the past: - try commenting out all the other mechanisms in /etc/gss/mech. (It seems to sometimes get confused and tries to use a different mech than Kerberos, or whatever you are using.) - try to make sure that your KDC, client and server machine are all using the same encryption type by default (and that the entry for the host principal in the server is encrypted with that same type). default_etypes in /etc/krb5.conf + whatever your KDC uses - make sure your machines have fully qualified DNS names and that the name for the server matches the one used for the host based principal in its keytab file. Doubt any of the above will help, but good luck with it, rick