[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.7.1rc2

Hello again,

unfortunately no one answered my question here. But the problems still 
remain. Even in a complete test environment (kdc version 0.7.1, OpenSSH 
4.2 server and client linked against 0.7.1) gssapi-with-mic authentication 

There aren't any "correct_des3_mic" or "broken_des3_mic" entries in 
krb5.conf needed, are they? It doesn't change the situation anyway.

There aren't any usable debug message from both, ssh client and server 
except "Failed gssapi-with-mic for ...".

Did someone get OpenSSH with gssapi-with-mic authentication running using 
Heimdal 0.7x? It's working with fine with Heimdal 0.6.


On Fri, 12 Aug 2005, Andreas Haupt wrote:

> Hello Love,
> thanks for your answer. But I still have some problems in understanding.
> On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
>> Andreas Haupt <ahaupt@ifh.de> writes:
>>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>>     running when linked against heimdal 0.7x? When linked against heimdal
>>>     0.6.x everything runs fine. I did not really look deeply at the code
>>>     but it seems to me the function gss_verify_mic does not work properly.
>>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>> What encryption type do you use for that principal (klist -v will show 
>> you)?
>> If you are using des3-cbc-sha1, you should read the COMPATIBILITY section
>> in the gssapi manpage.
> Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still running 
> 0.6.3. On my test host OpenSSH is linked against heimdal 0.7. So client and 
> server really should use the correct "GSS-API DES3 mic". Or am I wrong here?
> I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf on that 
> test host and even on the kdc. Nothing changed. Only the OpenSSH error 
> message "GSSAPI MIC check failed" went away when krb5.conf was configured 
> like the man page told me. So it seems to have an effect.
> Is it better to change the principal key completely (e.g. use another 
> encoding)? Which encoding is the prefered nowadays?
> Thanks and greetings
> Andreas
> PS: I put this answer on the list again as I think others might run into
>    the same problems.

| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216