heimdal-0.7.1rc2

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

heimdal-0.7.1rc2

Love Hörnquist Åstrand

Hello

I'll preparing to make a Heimdal-0.7.1 release for early next week. There
will be only bugfixes in this release. If you have found any bugs that you
want to have fixed, now would be a good time to tell us about them
(hopefully with patches :)

A release candidate that will be a release unless I receive comments is here:

ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.7.1rc2.tar.gz

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Andreas Haupt
On Thu, 11 Aug 2005, Love Hörnquist Åstrand wrote:

> Hello

Hello,

> I'll preparing to make a Heimdal-0.7.1 release for early next week. There
> will be only bugfixes in this release. If you have found any bugs that you
> want to have fixed, now would be a good time to tell us about them
> (hopefully with patches :)

I found two things:

1. configure cannot detect OpenSSL 0.9.8. At least openssl/md4.h contains
    a variable of size_t which is defined in stdio.h. But the test program
    does not include stdio.h so the check fails.

2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
    running when linked against heimdal 0.7x? When linked against heimdal
    0.6.x everything runs fine. I did not really look deeply at the code
    but it seems to me the function gss_verify_mic does not work properly.

    I also have to mention that heimdal 0.6.x is linked against OpenSSL
    0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.

Another question: How long will you provide security fixes for the 0.6.x
heimdal branch?

Greetings
Andreas

--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Love Hörnquist Åstrand

Andreas Haupt <[hidden email]> writes:

> On Thu, 11 Aug 2005, Love Hörnquist Åstrand wrote:
>
>> Hello
>
> Hello,
>
>> I'll preparing to make a Heimdal-0.7.1 release for early next week. There
>> will be only bugfixes in this release. If you have found any bugs that you
>> want to have fixed, now would be a good time to tell us about them
>> (hopefully with patches :)
>
> I found two things:
>
> 1. configure cannot detect OpenSSL 0.9.8. At least openssl/md4.h contains
>     a variable of size_t which is defined in stdio.h. But the test program
>     does not include stdio.h so the check fails.
Thanks, forgot that delta.

2005-08-12  Love Hörnquist Åstrand  <[hidden email]>

        * crypto.m4: 1.21: Add <sys/types.h>, OpenSSL 0.9.8 needs it for
        size_t.  From: Quanah Gibson-Mount <[hidden email]>

> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>     running when linked against heimdal 0.7x? When linked against heimdal
>     0.6.x everything runs fine. I did not really look deeply at the code
>     but it seems to me the function gss_verify_mic does not work properly.
>
>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.

Ok, I'll have a try at that today or later in the weekend then.

> Another question: How long will you provide security fixes for the
> 0.6.x heimdal branch?

I will for sure do it as long as maintained releases of
NetBSD/FreeBSD/OpenBSD includes 0.6 derived code.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Andreas Haupt
In reply to this post by Andreas Haupt
Hello Love,

thanks for your answer. But I still have some problems in understanding.

On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:

>
> Andreas Haupt <[hidden email]> writes:
>
>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>     running when linked against heimdal 0.7x? When linked against heimdal
>>     0.6.x everything runs fine. I did not really look deeply at the code
>>     but it seems to me the function gss_verify_mic does not work properly.
>>
>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>
> What encryption type do you use for that principal (klist -v will show you)?
>
> If you are using des3-cbc-sha1, you should read the COMPATIBILITY section
> in the gssapi manpage.
Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still
running 0.6.3. On my test host OpenSSH is linked against heimdal 0.7. So
client and server really should use the correct "GSS-API DES3 mic". Or am
I wrong here?

I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf on that
test host and even on the kdc. Nothing changed. Only the OpenSSH
error message "GSSAPI MIC check failed" went away when krb5.conf was
configured like the man page told me. So it seems to have an effect.

Is it better to change the principal key completely (e.g. use another
encoding)? Which encoding is the prefered nowadays?

Thanks and greetings
Andreas

PS: I put this answer on the list again as I think others might run into
     the same problems.

--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2 // hoh

Mathias Feiler
In reply to this post by Love Hörnquist Åstrand

Hello list member , hello Love!

|On Thu, 11 Aug 2005, Love Hörnquist Åstrand wrote:
|.....
|will be only bugfixes in this release. If you have found any bugs that you
|want to have fixed, now would be a good time to tell us about them

Now that You encourage me  I'll bring it up.
Using kadmin sometimes surprise me a bit.  Since I don't fully understand
the field  I'm in doubt about the things I got and how to weight  it.
Pleas indulge in case I'm screwed.

My Context is this (test-environment with AFS-principales):

   Rh-El3 ( Linux 2.4.21-32.ELsmp i686 )
   Heimdal-0.7-20050719  and  asn1-choice-20050719

   #ps -ef | grep heimdal | cut -c48-
   /sw/i3_rhel3/heimdal-0.7.0/libexec/kdc --kerberos4 --kaserver --detach
   /sw/i3_rhel3/heimdal-0.7.0/libexec/ipropd-master --detach
   /sw/i3_rhel3/heimdal-0.7.0/libexec/kpasswdd -r UNI-HOHENHEIM.DE
   /sw/i3_rhel3/heimdal-0.7.0/libexec/kadmind

This is my point:

  I have a ticket for 'feiler' and 'feiler' is counted in kadmind.acl
  with all rights on all. See this:
  -----------------------8<-----------------------8<----------------
  # klist
  Credentials cache: FILE:/tmp/krb5cc_0
          Principal: [hidden email]

    Issued           Expires          Principal
  Aug 12 11:11:00  Aug 13 12:11:00  krbtgt/[hidden email]
  Aug 12 11:11:00  Aug 13 12:11:00  [hidden email]
  #
  # grep feiler kadmind.acl
  feiler          all
  rzfeiler        all
  #
  -----------------------8<-----------------------8<----------------

  Now I want to list some principales.

  Meanwhile I realized that kadmin silently adds the instance 'admin' if
  the available ticket does not already have one (** see MY NOTE below **).
  So I explicitly define the principal to use :  '-p feiler' .
  This results in getting asked for the passphrase of  'feiler'
  again, even if I hold a valid ticket and token.
  IMHO this is not the 'kerberos' or 'single sign on' way of life.

  -----------------------8<-----------------------8<----------------
  # # kadmin -p feiler  list '*feiler*'
  [hidden email]'s Password:
  feiler
  feilert
  rzfeiler
  -----------------------8<-----------------------8<----------------

  OF CAUSE ...
  If on the other hand the '-p feiler' is left out I get asked for the
  password of 'feiler/[hidden email]' which does not exist.


QUESTION:
  Shouldn't kadmin (and maybe other) check the cc an possibly use this
  credentials before asking for a password over and over?



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MY NOTE:

  I fully understand the idea of adding the 'admin' instance to a principal
  w/o any instance in the hope of reduce keystrokes. I hate typing too.
  [ lib/kadm5/ChangeLog: 2002-03-25  Johan Danielsson  <[hidden email]>]

  On the other side I must count it as a formal error if a client try to
  (unconditionally) work with other (unasked) principals than those I
  have tickets and/or tokens for.

  On the first glance I think it could be a  good solution to have
  this habit runtime-configurable. Maybe in krb5.conf .
  What I have in minde looks like this :
     -----------------------8<---------------------
     [appdefaults]
        default_admin_instance  = "string"
     -----------------------8<---------------------
  Where "string" could be empty or any valid instance-term.
  If one leave this line out  "admin" might be the default (as it is now).
  This would make old AFS-sites happy as well as other heimdal-user.

  Love and the other developper,
  if You agree with this idea, I coud have a closer look, try to
  implement it and eventually try to send a patch to You.
  (No promise, I'm new on this).

  So what do You think?



Sincerely

Mathias Feiler



Fuer Rueckfragen stehe ich Ihnen gerne zur Verfuegung, bevorzuge jedoch
telefonische Kontaktaufnahme ( 3949 oder +49 (0)179 6954907 ).  Danke.


Hochachtungsvoll und mit freundlichen Gruessen   M.Feiler


----
  Mit Computerviren verhaelt es sich so, wie mit verschiedenen
  Geschlechtskrankheiten:  Meist HOLT man sie sich wenn man
  zu leichtsinnig zu ugeschuetzt  verkehrt.

PGP public key &  Homepage   :  http://www.uni-hohenheim.de/~feiler
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2 // hoh

Love Hörnquist Åstrand

Mathias Feiler <[hidden email]> writes:

>   Shouldn't kadmin (and maybe other) check the cc an possibly use this
>   credentials before asking for a password over and over?

kadmind requires initial credential, so you if you want to not type the
password for each requests, you have to get initial tickets before trying.

kinit -S kadmin/[hidden email] -p lha/[hidden email]
kadmin -p lha/admin

>   On the first glance I think it could be a  good solution to have
>   this habit runtime-configurable. Maybe in krb5.conf .
>   What I have in minde looks like this :
>      -----------------------8<---------------------
>      [appdefaults]
>         default_admin_instance  = "string"
>      -----------------------8<---------------------
>   Where "string" could be empty or any valid instance-term.
>   If one leave this line out  "admin" might be the default (as it is now).
>   This would make old AFS-sites happy as well as other heimdal-user.
>
>   Love and the other developper,
>   if You agree with this idea, I coud have a closer look, try to
>   implement it and eventually try to send a patch to You.
>   (No promise, I'm new on this).
>
>   So what do You think?
I understand you problem, but don't really see a clean generic way to do
it, if you find one, I will consider to include it.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2 // hoh.2

Mathias Feiler

Hello list member , hello Love!

The context is still the same .

On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
|
|kadmind requires initial credential, so you if you want to not type the
|password for each requests, you have to get initial tickets before trying.
|
|kinit -S kadmin/[hidden email] -p lha/[hidden email]
|kadmin -p lha/admin

Thank You very much for your fast responce!
Yes, You are right, for "user/admin" Your hint works fine.

But (maybe I'm totaly mixed) I think it is still not perfect
since I can't manage to get the same result w/o the 'admin' instance.

All I want/need is this :
(1) auhthenticate as a user known to be afsadmin (and kerberos admin)
(2) do 'bulk' operation  to both , the afs-world AND kerberos.
We need this for set up or remove bundle of users.
The AFS-ACL, the Fileserver and the PTS still know the  afsadmins, so I
try  to adjust the new component 'heimdal' to fit in as a replace for
KAS.

Here you can see what i got, maybe I have an other stupid error :

-----------------------8<-----------------------8<-----------------------
# cat /var/heimdal/kadmind.acl
admin/admin     all
user1/admin     all
feiler          all
rzfeiler        all

# kinit -S kadmin/[hidden email] -p feiler
[hidden email]'s Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [hidden email]

  Issued           Expires          Principal
Aug 13 00:00:15  Aug 14 01:00:15  kadmin/[hidden email]

# # # No AFS-ticket any more.

# kadmin -p feiler list '*feiler*'
[hidden email]'s Password:
feiler
feilert
rzfeiler

# kadmin  list '*feiler*'
feiler/[hidden email]'s Password:
kadmin: kadm5_get_principals: Client (feiler/[hidden email]) unknown

# kadmin -p feiler
kadmin> list feiler*
[hidden email]'s Password:
feiler
feilert
kadmin> quit
-----------------------8<-----------------------8<-----------------------

As You see, I'm still asked for a password.
Trying it  with an instance ('user1/admin') works just fine.

I'm somewhat clueless and would be very pleased if one coud give
me a further hint on my bulk-problem.

Thank You!


Fuer Rueckfragen stehe ich Ihnen gerne zur Verfuegung, bevorzuge jedoch
telefonische Kontaktaufnahme ( 3949 oder +49 (0)179 6954907 ).  Danke.


Hochachtungsvoll und mit freundlichen Gruessen   M.Feiler


----
  Mit Computerviren verhaelt es sich so, wie mit verschiedenen
  Geschlechtskrankheiten:  Meist HOLT man sie sich wenn man
  zu leichtsinnig zu ugeschuetzt  verkehrt.

PGP public key &  Homepage   :  http://www.uni-hohenheim.de/~feiler
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Andreas Haupt
In reply to this post by Andreas Haupt
Hello again,

unfortunately no one answered my question here. But the problems still
remain. Even in a complete test environment (kdc version 0.7.1, OpenSSH
4.2 server and client linked against 0.7.1) gssapi-with-mic authentication
fails.

There aren't any "correct_des3_mic" or "broken_des3_mic" entries in
krb5.conf needed, are they? It doesn't change the situation anyway.

There aren't any usable debug message from both, ssh client and server
except "Failed gssapi-with-mic for ...".

Did someone get OpenSSH with gssapi-with-mic authentication running using
Heimdal 0.7x? It's working with fine with Heimdal 0.6.

Greetings
Andreas

On Fri, 12 Aug 2005, Andreas Haupt wrote:

> Hello Love,
>
> thanks for your answer. But I still have some problems in understanding.
>
> On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
>
>>
>> Andreas Haupt <[hidden email]> writes:
>>
>>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>>     running when linked against heimdal 0.7x? When linked against heimdal
>>>     0.6.x everything runs fine. I did not really look deeply at the code
>>>     but it seems to me the function gss_verify_mic does not work properly.
>>>
>>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>>
>> What encryption type do you use for that principal (klist -v will show
>> you)?
>>
>> If you are using des3-cbc-sha1, you should read the COMPATIBILITY section
>> in the gssapi manpage.
>
> Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still running
> 0.6.3. On my test host OpenSSH is linked against heimdal 0.7. So client and
> server really should use the correct "GSS-API DES3 mic". Or am I wrong here?
>
> I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf on that
> test host and even on the kdc. Nothing changed. Only the OpenSSH error
> message "GSSAPI MIC check failed" went away when krb5.conf was configured
> like the man page told me. So it seems to have an effect.
>
> Is it better to change the principal key completely (e.g. use another
> encoding)? Which encoding is the prefered nowadays?
>
> Thanks and greetings
> Andreas
>
> PS: I put this answer on the list again as I think others might run into
>    the same problems.
>
>
--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Love Hörnquist Åstrand

I can't reproduce your problem, it works just fine with me. Both with the
default values, and "correct_des3_mic = host/*@SU.SE" set.

You are sure you are using tripple-des ?

Love


Andreas Haupt <[hidden email]> writes:

> Hello again,
>
> unfortunately no one answered my question here. But the problems still
> remain. Even in a complete test environment (kdc version 0.7.1,
> OpenSSH 4.2 server and client linked against 0.7.1) gssapi-with-mic
> authentication fails.
>
> There aren't any "correct_des3_mic" or "broken_des3_mic" entries in
> krb5.conf needed, are they? It doesn't change the situation anyway.
>
> There aren't any usable debug message from both, ssh client and server
> except "Failed gssapi-with-mic for ...".
>
> Did someone get OpenSSH with gssapi-with-mic authentication running
> using Heimdal 0.7x? It's working with fine with Heimdal 0.6.
>
> Greetings
> Andreas
>
> On Fri, 12 Aug 2005, Andreas Haupt wrote:
>
>> Hello Love,
>>
>> thanks for your answer. But I still have some problems in understanding.
>>
>> On Fri, 12 Aug 2005, Love Hörnquist Åstrand wrote:
>>
>>> Andreas Haupt <[hidden email]> writes:
>>>
>>>> 2. Did someone manage to get OpenSSH 4.x gssapi-with-mic authentication
>>>>     running when linked against heimdal 0.7x? When linked against heimdal
>>>>     0.6.x everything runs fine. I did not really look deeply at the code
>>>>     but it seems to me the function gss_verify_mic does not work properly.
>>>>
>>>>     I also have to mention that heimdal 0.6.x is linked against OpenSSL
>>>>     0.9.6x and heimdal 0.7 uses OpenSSL 0.9.7 here.
>>> What encryption type do you use for that principal (klist -v will
>>> show you)?
>>> If you are using des3-cbc-sha1, you should read the COMPATIBILITY
>>> section
>>> in the gssapi manpage.
>>
>> Yes, we are using des3-cbc-sha1 for our principals. Our kdc is still
>> running 0.6.3. On my test host OpenSSH is linked against heimdal
>> 0.7. So client and server really should use the correct "GSS-API
>> DES3 mic". Or am I wrong here?
>>
>> I also tried "broken_des3_mic" and "correct_des3_mic" in krb5.conf
>> on that test host and even on the kdc. Nothing changed. Only the
>> OpenSSH error message "GSSAPI MIC check failed" went away when
>> krb5.conf was configured like the man page told me. So it seems to
>> have an effect.
>>
>> Is it better to change the principal key completely (e.g. use
>> another encoding)? Which encoding is the prefered nowadays?
>>
>> Thanks and greetings
>> Andreas
>>
>> PS: I put this answer on the list again as I think others might run into
>>    the same problems.
>>
>>
>
> --
> | Andreas Haupt                      | E-Mail:  [hidden email]
> |  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
> |  Platanenallee 6                   | Phone:   +49/33762/7-7359
> |  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Andreas Haupt
Hello,

On Mon, 19 Sep 2005, Love Hörnquist Åstrand wrote:

> I can't reproduce your problem, it works just fine with me. Both with the
> default values, and "correct_des3_mic = host/*@SU.SE" set.

Fine. Maybe there's something wrong with my configuration. Here's my
krb5.conf for the test environment:

[libdefaults]
         default_realm = TEST.IFH.DE
         ticket_lifetime = 90000
         renew_lifetime = 2592000
         forwardable = true
[realms]
         TEST.IFH.DE = {
                 kdc = pr360.ifh.de
                 admin_server = pr360.ifh.de
                 default_domain = ifh.de
         }
[domain_realm]
         .ifh.de = TEST.IFH.DE
[kadmin]
         default_keys = v5
[logging]
         kdc = 0-5/SYSLOG:INFO:AUTH
         kpasswdd = 0-1/FILE:/var/adm/log/kpasswdd.log
         default = 0-5/SYSLOG:INFO:USER

KDC, OpenSSH 4.2 server and client are all running on host pr360 using
heimdal 0.7.1.

[pr360] % /opt/products/heimdal/0.7.1/bin/kinit
[hidden email]'s Password:
[pr360] % /opt/products/heimdal/0.7.1/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_J12248
         Principal: [hidden email]
     Cache version: 4

Server: krbtgt/[hidden email]
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Sep 20 12:08:30 2005
End time:   Sep 21 13:08:30 2005
Renew till: Oct 20 12:08:30 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:141.34.19.16

[pr360] % /usr/src/packages/BUILD/openssh-4.2p1/ssh -vvv -p1234 pr360
--snip--
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
--snap--
ahaupt@pr360's password:

Here comes the OpenSSH server debug output:

[pr360] ~ # /usr/src/packages/BUILD/openssh-4.2p1/sshd -p1234 -ddd
--snip--
debug1: userauth-request for user ahaupt service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 37
debug3: monitor_read: checking request 37
debug3: mm_request_receive_expect entering: type 38
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 38
debug3: mm_request_receive entering
Postponed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug3: mm_request_send entering: type 39
debug3: monitor_read: checking request 39
debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
debug1: Received some client credentials
debug3: mm_request_send entering: type 40
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 43
debug3: monitor_read: checking request 43
debug3: mm_request_receive_expect entering: type 44
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 44
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 41
debug3: monitor_read: checking request 41
debug3: mm_request_receive_expect entering: type 42
debug3: mm_request_receive entering
debug3: mm_answer_gss_userok: sending result 0
debug3: mm_request_send entering: type 42
Failed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug3: mm_request_receive entering
debug3: mm_ssh_gssapi_userok: user not authenticated
Failed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug1: userauth-request for user ahaupt service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for ahaupt from 141.34.19.16 port 36878 ssh2
debug1: userauth-request for user ahaupt service ssh-connection method
publickey
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method publickey
--snap--

After that I have a ticket for host/pr360:

[pr360] % /opt/products/heimdal/0.7.1/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_J12248
         Principal: [hidden email]
     Cache version: 4

Server: krbtgt/[hidden email]
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Sep 20 12:08:30 2005
End time:   Sep 21 13:08:30 2005
Renew till: Oct 20 12:08:30 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:141.34.19.16

Server: host/[hidden email]
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Sep 20 12:08:30 2005
Start time: Sep 20 12:08:58 2005
End time:   Sep 21 13:08:30 2005
Ticket flags: transited-policy-checked
Addresses: IPv4:141.34.19.16

In /var/log/messages I just see:

Sep 20 12:10:00 pr360 kdc[17419]: TGS-REQ [hidden email] from
IPv4:141.34.19.16 for krbtgt/[hidden email] [forwarded,
forwardable]

Again: if I use a Heimdal 0.6x kdc and link the same ssh source against
this version as well, everything runs fine.

> You are sure you are using tripple-des ?

The keys are 3des as you can see. How can I verify that a 3des GSSAPI mic
is used?

Thanks and Greetings
Andreas

--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Love Hörnquist Åstrand

Andreas Haupt <[hidden email]> writes:

> Hello,
>
> On Mon, 19 Sep 2005, Love Hörnquist Åstrand wrote:
>
>> I can't reproduce your problem, it works just fine with me. Both with the
>> default values, and "correct_des3_mic = host/*@SU.SE" set.
>
> Fine. Maybe there's something wrong with my configuration. Here's my
> krb5.conf for the test environment:

Can you upgrade each component (KDC, ssh, sshd) and see when it breaks ?
Use old ssh and KDC with new sshd, etc.

It would be interesting to find out the real error from sshd, it seems to
occur somewhere in ssh_gssapi_accept_ctx(), can you find out where ?

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Henry B. Hotz
In reply to this post by Andreas Haupt
Ethereal on the KDC and/or the client.

On Sep 20, 2005, at 3:24 AM, Andreas Haupt wrote:

>> You are sure you are using tripple-des ?
>
> The keys are 3des as you can see. How can I verify that a 3des GSSAPI  
> mic is used?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Andreas Haupt
In reply to this post by Love Hörnquist Åstrand
Hello Love,

On Tue, 20 Sep 2005, Love Hörnquist Åstrand wrote:

> Andreas Haupt <[hidden email]> writes:
>
>> Hello,
>>
>> On Mon, 19 Sep 2005, Love Hörnquist Åstrand wrote:
>>
>>> I can't reproduce your problem, it works just fine with me. Both with the
>>> default values, and "correct_des3_mic = host/*@SU.SE" set.
>>
>> Fine. Maybe there's something wrong with my configuration. Here's my
>> krb5.conf for the test environment:
>
> Can you upgrade each component (KDC, ssh, sshd) and see when it breaks ?
> Use old ssh and KDC with new sshd, etc.
Heureka! My problem is more or less solved. It's just the ssh daemon! In
the file gss-serv-krb5.c, function ssh_gssapi_krb5_userok it calls the
heimdal lib function krb5_userok. This returns false in heimdal 0.7.1
whereas on heimdal 0.6.3 it returns true.

After reading the man page of krb5_userok I remembered of an old .k5login
file in my home directory (it contained a principal that was used during
a cross realm trust test some time ago).

After removing that file everything works fine. Whereas 0.6x did not
care about it, 0.7x does! That's reproducible. If there is a principal
name in it that does not belong to the local realm, even the "normal"
authentication (connection to the same user in the same realm) does not
work any more.

In heimdal's ChangeLog.2004 I found the following entry:

2004-08-19  Johan Danielsson  <[hidden email]>

         * lib/krb5/krb5_kuserok.3: update to reality

         * lib/krb5/kuserok.c: if a .k5login file exist, don't give
         implicit rights to anyone; also check owner/mode of .k5login

My .k5login file was owned by me and had permission 0600. But actually
krb5_userok shouldn't even care about it as my authentication would have
succeeded without it.

Did I found a bug?

Thanks and Greetings
Andreas

--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Brandon S Allbery KF8NH-2
In reply to this post by Love Hörnquist Åstrand

         * lib/krb5/kuserok.c: if a .k5login file exist, don't give
         implicit rights to anyone; also check owner/mode of .k5login

At a guess, the above is your problem:  "implicit rights" to me implies the Kerberos principal corresponding to the account owner, so if you have a .k5login you must now list yourself in it to have permission to authenticate.

Reply | Threaded
Open this post in threaded view
|

Re: heimdal-0.7.1rc2

Andreas Haupt
On Wed, 21 Sep 2005, Brandon S. Allbery KF8NH wrote:

>
>         * lib/krb5/kuserok.c: if a .k5login file exist, don't give
>         implicit rights to anyone; also check owner/mode of .k5login
>
> At a guess, the above is your problem:  "implicit rights" to me implies the Kerberos principal corresponding to the account owner, so if you have a .k5login you must now list yourself in it to have permission to authenticate.

Thanks. That's excatly my problem ;-) I really should improve my English
skills...

Greetings
Andreas

--
| Andreas Haupt                      | E-Mail:  [hidden email]
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216