[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal-0.7.1rc2
Hello,
On Mon, 19 Sep 2005, Love Hörnquist Åstrand wrote:
> I can't reproduce your problem, it works just fine with me. Both with the
> default values, and "correct_des3_mic = host/*@SU.SE" set.
Fine. Maybe there's something wrong with my configuration. Here's my
krb5.conf for the test environment:
[libdefaults]
default_realm = TEST.IFH.DE
ticket_lifetime = 90000
renew_lifetime = 2592000
forwardable = true
[realms]
TEST.IFH.DE = {
kdc = pr360.ifh.de
admin_server = pr360.ifh.de
default_domain = ifh.de
}
[domain_realm]
.ifh.de = TEST.IFH.DE
[kadmin]
default_keys = v5
[logging]
kdc = 0-5/SYSLOG:INFO:AUTH
kpasswdd = 0-1/FILE:/var/adm/log/kpasswdd.log
default = 0-5/SYSLOG:INFO:USER
KDC, OpenSSH 4.2 server and client are all running on host pr360 using
heimdal 0.7.1.
[pr360] % /opt/products/heimdal/0.7.1/bin/kinit
ahaupt@TEST.IFH.DE's Password:
[pr360] % /opt/products/heimdal/0.7.1/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_J12248
Principal: ahaupt@TEST.IFH.DE
Cache version: 4
Server: krbtgt/TEST.IFH.DE@TEST.IFH.DE
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Sep 20 12:08:30 2005
End time: Sep 21 13:08:30 2005
Renew till: Oct 20 12:08:30 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:141.34.19.16
[pr360] % /usr/src/packages/BUILD/openssh-4.2p1/ssh -vvv -p1234 pr360
--snip--
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
--snap--
ahaupt@pr360's password:
Here comes the OpenSSH server debug output:
[pr360] ~ # /usr/src/packages/BUILD/openssh-4.2p1/sshd -p1234 -ddd
--snip--
debug1: userauth-request for user ahaupt service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 37
debug3: monitor_read: checking request 37
debug3: mm_request_receive_expect entering: type 38
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 38
debug3: mm_request_receive entering
Postponed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug3: mm_request_send entering: type 39
debug3: monitor_read: checking request 39
debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
debug1: Received some client credentials
debug3: mm_request_send entering: type 40
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 43
debug3: monitor_read: checking request 43
debug3: mm_request_receive_expect entering: type 44
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 44
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 41
debug3: monitor_read: checking request 41
debug3: mm_request_receive_expect entering: type 42
debug3: mm_request_receive entering
debug3: mm_answer_gss_userok: sending result 0
debug3: mm_request_send entering: type 42
Failed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug3: mm_request_receive entering
debug3: mm_ssh_gssapi_userok: user not authenticated
Failed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug1: userauth-request for user ahaupt service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug1: userauth-request for user ahaupt service ssh-connection method
publickey
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method publickey
--snap--
After that I have a ticket for host/pr360:
[pr360] % /opt/products/heimdal/0.7.1/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_J12248
Principal: ahaupt@TEST.IFH.DE
Cache version: 4
Server: krbtgt/TEST.IFH.DE@TEST.IFH.DE
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Sep 20 12:08:30 2005
End time: Sep 21 13:08:30 2005
Renew till: Oct 20 12:08:30 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:141.34.19.16
Server: host/pr360.ifh.de@TEST.IFH.DE
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Sep 20 12:08:30 2005
Start time: Sep 20 12:08:58 2005
End time: Sep 21 13:08:30 2005
Ticket flags: transited-policy-checked
Addresses: IPv4:141.34.19.16
In /var/log/messages I just see:
Sep 20 12:10:00 pr360 kdc[17419]: TGS-REQ ahaupt@TEST.IFH.DE from
IPv4:141.34.19.16 for krbtgt/TEST.IFH.DE@TEST.IFH.DE [forwarded,
forwardable]
Again: if I use a Heimdal 0.6x kdc and link the same ssh source against
this version as well, everything runs fine.
> You are sure you are using tripple-des ?
The keys are 3des as you can see. How can I verify that a 3des GSSAPI mic
is used?
Thanks and Greetings
Andreas
--
| Andreas Haupt | E-Mail: andreas.haupt@desy.de
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216