[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openssh + heimdal: real nightmare

On Mon, 26 Jan 2004, David Komanek wrote:

> debug3:  entering: type 38
> debug3:  entering
> Postponed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2
> debug3:  entering: type 39
> debug3:  entering: type 40
> debug3:  entering
> debug3: : checking request 39
> debug1:  Miscellaneous failure (see text)
> Decrypt integrity check failed
> debug1: Got no client credentials
> debug3:  entering: type 40
> debug3:  entering
> Failed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2
> Time is in sync. Release versions of openssh and heimdal give the same as
> the latest snapshots. ".k5login" exists with correct info. What's wrong ?

What do you need .k5login for. It's only needed if you want to login as
another user on the remote host.

> I have a few additional questions which answering probably could help me
> to resolve the problem:
> 1. In which cases I can get the "Decrypt integrity check failed" message
> from gssapi and where are published hints how to resolve this ?

Maybe the key / key version number doesn't match in the Heimdal database
and /etc/krb5.keytab. Although I believe this would result in another
error message...

> 3. Is there any other other possibility get openssh working with heimdal
> than gssapi (krb4 support in openssh was with no gssapi and everything
> worked fine) ?

With older OpenSSH (pre 3.7) releases you were able to get Kerberos5
authentication with ssh protocol 1 only. It has been replaced by gssapi
which only works with protocol 2.


| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7369
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216