ssh + kerberos: problems w/ -current to openbsd 4.2 KDC

have most of the machines here doing ssh authentication via
kerberos 
against a heimdal KDC running openbsd 4.2-release. the
freebsd 7.0beta4 
host i recently installed will not allow machines to ssh
into it using 
kerberos credentials but it (freebsd host) does successfully
get and use 
tickets from the KDC when

[gssapi]
    correct_des3_mic = host/*MYDOMAIN.COM

is added to /etc/krb5.conf.

nothing notable shows up in the KDC logs and the following
appears in 
/var/log/auth.log on the freebsd host:

Dec 31 12:46:48 databank1 sshd[24658]: error: ssh_msg_send:
write
Dec 31 12:50:14 databank1 sshd[24690]: error: ssh_msg_send:
write

the changes made on the freebsd host to accommodate kerberos

authentication were in /etc/ssh/sshd_config and
/etc/pam.d/sshd, 
respectively:

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

auth            sufficient      pam_krb5.so            
no_warn 
try_first_pass
account         required        pam_krb5.so
password        sufficient      pam_krb5.so            
no_warn 
try_first_pass

where the lines in /etc/pam.d/sshd were simply uncommented
and in the 
original order. debugging outputs from a client trying to
ssh into the 
freebsd host are not very enlightening:

...
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
...

any clues as to what needs to be done to get this to work
correctly 
would be appreciated.

cheers,
jake

-- 


_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

On Mon, 2007-12-31 at 14:07 -0600, Jacob Yocom-Piatt wrote:
> have most of the machines here doing ssh authentication
via kerberos 
> against a heimdal KDC running openbsd 4.2-release.

I have a similar setup here with an OpenBSD 4.2 KDC and a
FreeBSD
7.0-BETA2 machine and I remember it being a hassle.  I set
this up
awhile ago and don't totally remember why everything is set
the way it
is without reading man pages again but it's New Years Eve
here so...
I'll just throw my configuration here at you. ;)

>  the freebsd 7.0beta4 
> host i recently installed will not allow machines to
ssh into it using 
> kerberos credentials but it (freebsd host) does
successfully get and use 
> tickets from the KDC when
> 
> [gssapi]
>     correct_des3_mic = host/*MYDOMAIN.COM
> 
> is added to /etc/krb5.conf.
> 

I have the same line above in krb5.conf on the FreeBSD
machine with no
[gssapi] section in the krb5.conf on the OpenBSD machine.

> nothing notable shows up in the KDC logs and the
following appears in 
> /var/log/auth.log on the freebsd host:
> 
> Dec 31 12:46:48 databank1 sshd[24658]: error:
ssh_msg_send: write
> Dec 31 12:50:14 databank1 sshd[24690]: error:
ssh_msg_send: write
> 
> the changes made on the freebsd host to accommodate
kerberos 
> authentication were in /etc/ssh/sshd_config and
/etc/pam.d/sshd, 
> respectively:
> 
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 


#PasswordAuthentication no
#PermitEmptyPasswords no

ChallengeResponseAuthentication no

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

#UsePAM yes


> auth            sufficient      pam_krb5.so            
no_warn 
> try_first_pass
> account         required        pam_krb5.so
> password        sufficient      pam_krb5.so            
no_warn 
> try_first_pass
> 

I never got pam_krb5 to work and was happy enough with
sshd's own GSSAPI
stuff so I just stopped trying to figure out IIRC.

> where the lines in /etc/pam.d/sshd were simply
uncommented and in the 
> original order. debugging outputs from a client trying
to ssh into the 
> freebsd host are not very enlightening:
> 
> ...
> debug1: Authentications that can continue: 
> publickey,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Authentications that can continue: 
> publickey,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: publickey
> ...
> 
> any clues as to what needs to be done to get this to
work correctly 
> would be appreciated.
> 
> cheers,
> jake
> 
-- 
| tmclaugh at sdf.lonestar.org                 tmclaugh at
FreeBSD.org |
| FreeBSD                                       http://www.FreeBSD.org |

_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"