[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openssh + heimdal: real nightmare


Failed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57360 ssh2

Time is in sync. Release versions of openssh and heimdal give the same as
the latest snapshots. ".k5login" exists with correct info. What's wrong ?

What do you need .k5login for. It's only needed if you want to login as
another user on the remote host.
On our machines, there is not allowed to login as root via network directly. I need a ssh passphrase or - more elegant when we have kerberos - .k[5]login

ssh -l komanek host
ssh -l root hostA
ssh -l root hostB
ssh -l root hostC

Worked like a charm with kth-krb4 and older openssh versions. Does not work anymore with heimdal due to the problems with gss api.
I have a few additional questions which answering probably could help me
to resolve the problem:

1. In which cases I can get the "Decrypt integrity check failed" message
from gssapi and where are published hints how to resolve this ?

Maybe the key / key version number doesn't match in the Heimdal database
and /etc/krb5.keytab. Although I believe this would result in another
error message...
I do not think this is my problem - I have only one version of the key i database and the same kvno is stored in keyfile.
3. Is there any other other possibility get openssh working with heimdal
than gssapi (krb4 support in openssh was with no gssapi and everything
worked fine) ?

With older OpenSSH (pre 3.7) releases you were able to get Kerberos5
authentication with ssh protocol 1 only. It has been replaced by gssapi
which only works with protocol 2.
Well, I laso feel, gssapi is the only possibility now, but hoped I oversaw sthg.