Re: GSSAPI MIC check



Simon Wilkinson <simon@xxxxxxxxxx> writes:

On 5 Jul 2007, at 03:47, Fredrik Tolf wrote:


I'm having some trouble SSH:ing from FreeBSD systems to Linux systems
using GSSAPI authentication. The sshd on the server complains with
"GSSAPI MIC check failed".

This is usually a Kerberos library version issue. Which Kerberos
libraries are you using on either side of the connection. If you are
using Heimdal on the FreeBSD side, can you update to a later version?

Yes, you are right. I managed to find it out on my own very
recently. I was going to post back to this list with the solution, but
you replied earlier than that. :)

As it turns out, FreeBSD ships with Heimdal 0.6, and Heimdal versions
*earlier* than that had a broken implementation of the MIC
generation. It is actually fixed in 0.6, but it still ships with the
old, broken version turned on by default, to not break compatibility
with previous installations.

However, it is apparently possible to tell Heimdal 0.6 to use the
correct MIC generation for selected principals. You add something akin
to the following to your /etc/krb5.conf:

[gssapi]
correct_des3_mic = host/*@YOUR.REALM

You can specify multiple "corrent_des3_mic" entries if you want, and
the right side of it is parsed as a normal principal and matched
against the target principal in the normal manner.

I've read that Heimdal 0.7 has correct MIC generation turned on by
default, and if you wish to interoperate with older, broken servers,
you would need to specify "broken_des3_mic" entries for those servers
instead.

I hope this will be useful to someone else. While I've been googling
around for this answer, I appear not to have been alone in my
problems.

Fredrik Tolf



Relevant Pages