FW: GSSAPI oid

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

FW: GSSAPI oid

Wachdorf, Daniel R
I sent this out yesterday but didn't see it show up.  I also added
[hidden email] <mailto:[hidden email]> .  

-dan


_____________________________________________
From: Wachdorf, Daniel R
Sent: Wednesday, June 01, 2005 7:53 AM
To: '[hidden email]'
Cc: Machin, Glenn D
Subject: GSSAPI oid

I have been doing some testing with the SSH implementation on Solaris 10
and when doing gssapi-with-mic (Kerb 5) I keep getting the following
error message:

debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 }
(unsupported)

I see this error when using our implementation of gssapi-with-mic and
also openSSH gssapi-with-mic.

Does anyone here know about the functionality of the gssapi-with-mic
implementation within Solaris 10.  Does it include Kerberos?  Is it just
an OID issue (I believe there used to be a bad OID in the openSSH
patch).

Thanks.

-dan

--------------------------------------
Daniel Wachdorf
[hidden email]
Sandia National Laboratories
Cyber Security Technologies
505-284-8060


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FW: GSSAPI oid

Nicolas Williams
The "(unsupported)" in the debug message is my fault -- I did not mean
for it to indicate lack of support in the software, but lack of support
due to lack of credentials or lack of support due to lack of software
support.

In this case the message should mean "lack of credentials."

Bad choice of words.

Nico


On Thu, Jun 02, 2005 at 10:46:58AM -0600, Wachdorf, Daniel R wrote:

> I sent this out yesterday but didn't see it show up.  I also added
> [hidden email] <mailto:[hidden email]> .  
>
> -dan
>
>
> _____________________________________________
> From: Wachdorf, Daniel R
> Sent: Wednesday, June 01, 2005 7:53 AM
> To: '[hidden email]'
> Cc: Machin, Glenn D
> Subject: GSSAPI oid
>
> I have been doing some testing with the SSH implementation on Solaris 10
> and when doing gssapi-with-mic (Kerb 5) I keep getting the following
> error message:
>
> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 }
> (unsupported)
>
> I see this error when using our implementation of gssapi-with-mic and
> also openSSH gssapi-with-mic.
>
> Does anyone here know about the functionality of the gssapi-with-mic
> implementation within Solaris 10.  Does it include Kerberos?  Is it just
> an OID issue (I believe there used to be a bad OID in the openSSH
> patch).
>
> Thanks.
>
> -dan
>
> --------------------------------------
> Daniel Wachdorf
> [hidden email]
> Sandia National Laboratories
> Cyber Security Technologies
> 505-284-8060
>
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: GSSAPI oid

Wachdorf, Daniel R
It's a problem with the keytab file (and/or krb5.conf) file not being in the
right place?   My guess is it should be /etc/krb5/krb5.conf and
/etc/krb5/krb5.keytab.

-dan


On 6/2/05 12:50 PM, "Nicolas Williams" <[hidden email]> wrote:

> The "(unsupported)" in the debug message is my fault -- I did not mean
> for it to indicate lack of support in the software, but lack of support
> due to lack of credentials or lack of support due to lack of software
> support.
>
> In this case the message should mean "lack of credentials."
>
> Bad choice of words.
>
> Nico
>
>
> On Thu, Jun 02, 2005 at 10:46:58AM -0600, Wachdorf, Daniel R wrote:
>> I sent this out yesterday but didn't see it show up.  I also added
>> [hidden email] <mailto:[hidden email]> .
>>
>> -dan
>>
>>
>> _____________________________________________
>> From: Wachdorf, Daniel R
>> Sent: Wednesday, June 01, 2005 7:53 AM
>> To: '[hidden email]'
>> Cc: Machin, Glenn D
>> Subject: GSSAPI oid
>>
>> I have been doing some testing with the SSH implementation on Solaris 10
>> and when doing gssapi-with-mic (Kerb 5) I keep getting the following
>> error message:
>>
>> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 }
>> (unsupported)
>>
>> I see this error when using our implementation of gssapi-with-mic and
>> also openSSH gssapi-with-mic.
>>
>> Does anyone here know about the functionality of the gssapi-with-mic
>> implementation within Solaris 10.  Does it include Kerberos?  Is it just
>> an OID issue (I believe there used to be a bad OID in the openSSH
>> patch).
>>
>> Thanks.
>>
>> -dan
>>
>> --------------------------------------
>> Daniel Wachdorf
>> [hidden email]
>> Sandia National Laboratories
>> Cyber Security Technologies
>> 505-284-8060
>>
>>
>> _______________________________________________
>> krbdev mailing list             [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: GSSAPI oid

Nicolas Williams
On Thu, Jun 02, 2005 at 12:54:44PM -0600, Daniel Wachdorf wrote:
> It's a problem with the keytab file (and/or krb5.conf) file not being in the
> right place?   My guess is it should be /etc/krb5/krb5.conf and
> /etc/krb5/krb5.keytab.

Correct.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FW: GSSAPI oid

Douglas E. Engert
In reply to this post by Wachdorf, Daniel R
I have the Solaris sshd working with gssapi-with-mic, from
other OpenSSH and PuTTY  and don't get this message.


Wachdorf, Daniel R wrote:

> I sent this out yesterday but didn't see it show up.  I also added
> [hidden email] <mailto:[hidden email]> .  
>
> -dan
>
>
> _____________________________________________
> From: Wachdorf, Daniel R
> Sent: Wednesday, June 01, 2005 7:53 AM
> To: '[hidden email]'
> Cc: Machin, Glenn D
> Subject: GSSAPI oid
>
> I have been doing some testing with the SSH implementation on Solaris 10
> and when doing gssapi-with-mic (Kerb 5) I keep getting the following
> error message:
>
> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 }
> (unsupported)
>
> I see this error when using our implementation of gssapi-with-mic and
> also openSSH gssapi-with-mic.
>
> Does anyone here know about the functionality of the gssapi-with-mic
> implementation within Solaris 10.  Does it include Kerberos?

Yes it does.
I have the Solaris sshd working with gssapi-with-mic, from
other OpenSSH and PuTTY  and don't get this message.

Do you have the host key file in /etc/krb5/krb5.keytab


> Is it just
> an OID issue (I believe there used to be a bad OID in the openSSH
> patch).
>
> Thanks.
>
> -dan
>
> --------------------------------------
> Daniel Wachdorf
> [hidden email]
> Sandia National Laboratories
> Cyber Security Technologies
> 505-284-8060
>
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev