ssh + kerberos: problems w/ -current to openbsd 4.2 KDC

Tom McLaughlin tmclaugh at sdf.lonestar.org
Mon Dec 31 15:13:55 PST 2007 

On Mon, 2007-12-31 at 14:07 -0600, Jacob Yocom-Piatt wrote:
> have most of the machines here doing ssh authentication via kerberos 
> against a heimdal KDC running openbsd 4.2-release.

I have a similar setup here with an OpenBSD 4.2 KDC and a FreeBSD
7.0-BETA2 machine and I remember it being a hassle.  I set this up
awhile ago and don't totally remember why everything is set the way it
is without reading man pages again but it's New Years Eve here so...
I'll just throw my configuration here at you. ;)

>  the freebsd 7.0beta4 
> host i recently installed will not allow machines to ssh into it using 
> kerberos credentials but it (freebsd host) does successfully get and use 
> tickets from the KDC when
> 
> [gssapi]
>     correct_des3_mic = host/*@MYDOMAIN.COM
> 
> is added to /etc/krb5.conf.
> 

I have the same line above in krb5.conf on the FreeBSD machine with no
[gssapi] section in the krb5.conf on the OpenBSD machine.

> nothing notable shows up in the KDC logs and the following appears in 
> /var/log/auth.log on the freebsd host:
> 
> Dec 31 12:46:48 databank1 sshd[24658]: error: ssh_msg_send: write
> Dec 31 12:50:14 databank1 sshd[24690]: error: ssh_msg_send: write
> 
> the changes made on the freebsd host to accommodate kerberos 
> authentication were in /etc/ssh/sshd_config and /etc/pam.d/sshd, 
> respectively:
> 
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 


#PasswordAuthentication no
#PermitEmptyPasswords no

ChallengeResponseAuthentication no

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

#UsePAM yes


> auth            sufficient      pam_krb5.so             no_warn 
> try_first_pass
> account         required        pam_krb5.so
> password        sufficient      pam_krb5.so             no_warn 
> try_first_pass
> 

I never got pam_krb5 to work and was happy enough with sshd's own GSSAPI
stuff so I just stopped trying to figure out IIRC.

> where the lines in /etc/pam.d/sshd were simply uncommented and in the 
> original order. debugging outputs from a client trying to ssh into the 
> freebsd host are not very enlightening:
> 
> ...
> debug1: Authentications that can continue: 
> publickey,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Authentications that can continue: 
> publickey,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: publickey
> ...
> 
> any clues as to what needs to be done to get this to work correctly 
> would be appreciated.
> 
> cheers,
> jake
> 
-- 
| tmclaugh at sdf.lonestar.org                 tmclaugh at FreeBSD.org |
| FreeBSD                                       http://www.FreeBSD.org |

More information about the freebsd-questions mailing list