From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 18:24:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A995E16A420 for ; Thu, 16 Feb 2006 18:24:36 +0000 (GMT) (envelope-from bsam@ipt.ru) Received: from mail.ipt.ru (mail.ipt.ru [80.253.10.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C72343D45 for ; Thu, 16 Feb 2006 18:24:35 +0000 (GMT) (envelope-from bsam@ipt.ru) Received: from doc.sem.ipt.ru ([192.168.12.1] helo=srv.sem.ipt.ru) by mail.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1F9nnq-000NBc-HH; Thu, 16 Feb 2006 21:24:30 +0300 Received: from bsam by srv.sem.ipt.ru with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F9nmE-0002Qo-R1; Thu, 16 Feb 2006 21:22:50 +0300 To: Alexander Botero-Lowry References: <20060213085341.GA6545@atlantis.foxybanana.com> From: Boris Samorodov Date: Thu, 16 Feb 2006 21:22:50 +0300 In-Reply-To: <20060213085341.GA6545@atlantis.foxybanana.com> (Alexander Botero-Lowry's message of "Mon, 13 Feb 2006 00:53:41 -0800") Message-ID: <61710261@srv.sem.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org Subject: Re: heimdal and mit incompatability when using GSSAPI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 18:24:36 -0000 On Mon, 13 Feb 2006 00:53:41 -0800 Alexander Botero-Lowry wrote: > My college is kerberized, and so in many situations authentication is both faster and more secure using kerberos tickets. Sadly I have run into a problem. > The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. Which version of FreeBSD and Heimdal are you using? > For example ssh in verbose mode returns: > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: A token was invalid > Unknown error: 0 man krb.conf may give some clue to heimdal kerberos to be more MIT-compatible. > when I try to connect to oberon. This same connection works fine on another machine with MIT krb5. > Interestingly the tickets are issued even though the authentication fails: > [0:49] alex@Laptop: ~> klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: boterola@REED.EDU > Issued Expires Principal > Feb 13 00:22:56 Feb 13 07:02:46 krbtgt/REED.EDU@REED.EDU > Feb 13 00:38:54 Feb 13 07:02:46 host/oberon.reed.edu@REED.EDU How and when did you get krbtgt? Did you use kinit? (man kinit may help a little) > I am also able to use GSSAPI in thunderbird (linux version with MIT krb5 libraries). Under Linux OS? I didn't find any linux-thunderbird at the ports tree. > Does anyone have any insight into how to get GSSAPI authentication to work betwixt the default Heimdal in FreeBSD and our MIT-running servers? Well, imo before using GSSAPI you may ensure that kerberos itself is working (ie what i've written above). WBR -- Boris B. Samorodov, Research Engineer InPharmTech Co, http://www.ipt.ru Telephone & Internet Service Provider