[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.7.1rc2

To: Andreas Haupt <ahaupt@ifh.de>
Subject: Re: heimdal-0.7.1rc2
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Mon, 19 Sep 2005 13:44:00 -0700
Cc: heimdal-discuss@sics.se
In-Reply-To: <Pine.LNX.4.63.0509191419580.29677@fuchur.ifh.de> (AndreasHaupt's message of "Mon, 19 Sep 2005 14:30:31 +0200 (CEST)")
References: <amzmroqybo.fsf@nutcracker.it.su.se><Pine.LNX.4.63.0508120810100.19135@fuchur.ifh.de><amll37poz3.fsf@nutcracker.it.su.se><Pine.LNX.4.63.0508121020330.19135@fuchur.ifh.de><Pine.LNX.4.63.0509191419580.29677@fuchur.ifh.de>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin)


I can't reproduce your problem, it works just fine with me. Both with the
default values, and "correct_des3_mic = host/*@SU.SE" set.

You are sure you are using tripple-des ?

Love


Andreas Haupt <ahaupt@ifh.de> writes:

> Hello again,
>
> unfortunately no one answered my question here. But the problems still
> remain. Even in a complete test environment (kdc version 0.7.1,
> OpenSSH 4.2 server and client linked against 0.7.1) gssapi-with-mic
> authentication fails.
>
> There aren't any "correct_des3_mic" or "broken_des3_mic" entries in
> krb5.conf needed, are they? It doesn't change the situation anyway.
>
> There aren't any usable debug message from both, ssh client and server
> except "Failed gssapi-with-mic for ...".
>
> Did someone get OpenSSH with gssapi-with-mic authentication running
> using Heimdal 0.7x? It's working with fine with Heimdal 0.6.
>
> Greetings
> Andreas
>
> On Fri, 12 Aug 2005, Andreas Haupt wrote:
>
>> Hello Love,
>>
>> thanks for your answer. But I still have some problems in understanding.
>>
>> On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
>>
>>> Andreas Haupt <ahaupt@ifh.de> writes:
>>> 
>>>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>>>     running when linked against heimdal 0.7x? When linked against heimdal
>>>>     0.6.x everything runs fine. I did not really look deeply at the code
>>>>     but it seems to me the function gss_verify_mic does not work properly.
>>>>
>>>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>>> What encryption type do you use for that principal (klist -v will
>>> show you)?
>>> If you are using des3-cbc-sha1, you should read the COMPATIBILITY
>>> section
>>> in the gssapi manpage.
>>
>> Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still
>> running 0.6.3. On my test host OpenSSH is linked against heimdal
>> 0.7. So client and server really should use the correct "GSS-API
>> DES3 mic". Or am I wrong here?
>>
>> I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf
>> on that test host and even on the kdc. Nothing changed. Only the
>> OpenSSH error message "GSSAPI MIC check failed" went away when
>> krb5.conf was configured like the man page told me. So it seems to
>> have an effect.
>>
>> Is it better to change the principal key completely (e.g. use
>> another encoding)? Which encoding is the prefered nowadays?
>>
>> Thanks and greetings
>> Andreas
>>
>> PS: I put this answer on the list again as I think others might run into
>>    the same problems.
>>
>>
>
> -- 
> | Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
> |  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
> |  Platanenallee 6                   | Phone:   +49/33762/7-7359
> |  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

PGP signature

Follow-Ups:
- Re: heimdal-0.7.1rc2
  - From: Andreas Haupt <ahaupt@ifh.de>

References:
- Re: heimdal-0.7.1rc2
  - From: Andreas Haupt <ahaupt@ifh.de>

Prev by Date: Re: heimdal-0.7.1rc2
Next by Date: Certificate's endtime and PK-INIT
Prev by thread: Re: heimdal-0.7.1rc2
Next by thread: Re: heimdal-0.7.1rc2
Index(es):
- Date
- Thread