Re: Problems using gssapi authentication from FreeBSD to Linux machines

On Thu, 14 Dec 2006 23:34:17 -0600 Quincey Koziol wrote:

Hi all,
I'm really struggling with getting Kerberos authentication to
work between a FreeBSD host and a Linux host. I'm using the latest
STABLE code on the FreeBSD box, I've got forwardable Kerberos tokens
(verified with "klist -f") and Kerberos and ssh are working fine in
all other ways, but I can't get the Linux box to accept the Kerberos
ticket as authentication from the FreeBSD machine. The Linux box
accepts Kerberos credentials from other Linux machines and I can use
ssh on the FreeBSD machine to connect to itself with Kerberos
credentials (i.e. not required to type my password). This leads me
to believe that either the protocol for forwarding the Kerberos
credentials is different between the two machines or there's another
minor tweak I need to make to the ssh_config file on the FreeBSD
machine. One other difference is that the Linux box is running
OpenSSH 3.9p1 and the FreeBSD box is running OpenSSH 4.5p1.

This difference should not be a problem.

Here's my ssh_config from the FreeBSD machine:

# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
# $FreeBSD: src/crypto/openssh/ssh_config,v 2006/11/11
00:51:28 des Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP no
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VersionAddendum FreeBSD-20061110

# Add kerberos ticket forwarding
# QAK - 12/13/06
Host *

May be it's paranoid but I prefer to use more strict values here,
i.e. *.my.domain. This may prevent sending my credentials to hosts if
I incidentally misspell a command.

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# If this option is set to yes then the remote X11 clients will have
full access
# to the local X11 display. As virtually no X11 client supports the
# mode correctly we set this to yes.
ForwardX11Trusted yes

[logs skipped]

The main difference I can see is that the FreeBSD log has this:

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password

And the Linux log has this:

debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).

Any ideas what could be causing the ssh on FreeBSD to "not
send a packet"?

Seems that the Linux host doesn't accept credentials. Do you have an
access to this box? If yes, run sshd with verbose debug ("ddd") at
different port (say, "-p 1000") and then try to connect to this host
via ssh from FreeBSD host. Look at debugging log for the connection
details. HTH

Boris Samorodov (bsam)
Research Engineer, Telephone & Internet SP
FreeBSD committer, The Power To Serve
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"