Re: heimdal-0.7.1rc2

[Andreas Haupt <ahaupt@ifh.de>]

Hello Love,

thanks for your answer. But I still have some problems in understanding.

On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:

>
> Andreas Haupt <ahaupt@ifh.de> writes:
>
>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>     running when linked against heimdal 0.7x? When linked against heimdal
>>     0.6.x everything runs fine. I did not really look deeply at the code
>>     but it seems to me the function gss_verify_mic does not work properly.
>>
>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>
> What encryption type do you use for that principal (klist -v will show you)?
>
> If you are using des3-cbc-sha1, you should read the COMPATIBILITY section
> in the gssapi manpage.

Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still 
running 0.6.3. On my test host OpenSSH is linked against heimdal 0.7. So 
client and server really should use the correct "GSS-API DES3 mic". Or am 
I wrong here?

I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf on that 
test host and even on the kdc. Nothing changed. Only the OpenSSH 
error message "GSSAPI MIC check failed" went away when krb5.conf was 
configured like the man page told me. So it seems to have an effect.

Is it better to change the principal key completely (e.g. use another 
encoding)? Which encoding is the prefered nowadays?

Thanks and greetings
Andreas

PS: I put this answer on the list again as I think others might run into
     the same problems.

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216