[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.7.1rc2

I can't reproduce your problem, it works just fine with me. Both with the
default values, and "correct_des3_mic = host/*@SU.SE" set.

You are sure you are using tripple-des ?


Andreas Haupt <ahaupt@ifh.de> writes:

> Hello again,
> unfortunately no one answered my question here. But the problems still
> remain. Even in a complete test environment (kdc version 0.7.1,
> OpenSSH 4.2 server and client linked against 0.7.1) gssapi-with-mic
> authentication fails.
> There aren't any "correct_des3_mic" or "broken_des3_mic" entries in
> krb5.conf needed, are they? It doesn't change the situation anyway.
> There aren't any usable debug message from both, ssh client and server
> except "Failed gssapi-with-mic for ...".
> Did someone get OpenSSH with gssapi-with-mic authentication running
> using Heimdal 0.7x? It's working with fine with Heimdal 0.6.
> Greetings
> Andreas
> On Fri, 12 Aug 2005, Andreas Haupt wrote:
>> Hello Love,
>> thanks for your answer. But I still have some problems in understanding.
>> On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
>>> Andreas Haupt <ahaupt@ifh.de> writes:
>>>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>>>     running when linked against heimdal 0.7x? When linked against heimdal
>>>>     0.6.x everything runs fine. I did not really look deeply at the code
>>>>     but it seems to me the function gss_verify_mic does not work properly.
>>>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>>> What encryption type do you use for that principal (klist -v will
>>> show you)?
>>> If you are using des3-cbc-sha1, you should read the COMPATIBILITY
>>> section
>>> in the gssapi manpage.
>> Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still
>> running 0.6.3. On my test host OpenSSH is linked against heimdal
>> 0.7. So client and server really should use the correct "GSS-API
>> DES3 mic". Or am I wrong here?
>> I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf
>> on that test host and even on the kdc. Nothing changed. Only the
>> OpenSSH error message "GSSAPI MIC check failed" went away when
>> krb5.conf was configured like the man page told me. So it seems to
>> have an effect.
>> Is it better to change the principal key completely (e.g. use
>> another encoding)? Which encoding is the prefered nowadays?
>> Thanks and greetings
>> Andreas
>> PS: I put this answer on the list again as I think others might run into
>>    the same problems.
> -- 
> | Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
> |  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
> |  Platanenallee 6                   | Phone:   +49/33762/7-7359
> |  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

PGP signature