https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #66 from Cy Schubert ---
(In reply to amendlik from comment #65)
MIT replacement means replace Heimdal with MIT. Due to two factors the effort
to upgrade Heimdal was abandoned in favour of replacing Heimdal with MIT is in
progr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #65 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #64)
I'm not sure what you mean by "MIT replacement". My question was referring to
your earlier comments (comment #38, comment #40, comment #54) which stated
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #64 from Cy Schubert ---
(In reply to amendlik from comment #63)
In my estimation the MIT replacement is ~ 80% complete.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #63 from amend...@gmail.com ---
Any update on updating Heimdal in the base system?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #62 from Cy Schubert ---
(In reply to amendlik from comment #60)
The port flags itself as broken when the gssapi option is selected, stating
that the patch is not available.
Applying the patch for 8.9 will fail. Reworking the 8
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #61 from Cy Schubert ---
(In reply to amendlik from comment #60)
Try it.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #60 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #59)
The same patch files are in the current version of that port. Why do you say
they will not apply?
https://cgit.freebsd.org/ports/tree/security/openssh-po
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #59 from Cy Schubert ---
(In reply to amendlik from comment #58)
That patch only works with OpenSSH 8.9. It will not apply to OpenSSH 9.1.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #58 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #57)
Are you saying that your option #2 is not valid, or that I need to test
something different?
There is a GSSAPI patch included in openssh-portable-gssapi
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #57 from Cy Schubert ---
(In reply to amendlik from comment #56)
Sadly openssh-portable-gssapi is broken because it requires an extra patch
which I think comes from Debian, see the Makefile. Having said that, I don't
see why it
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #56 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #55)
I believe your suggestion #2 is exactly the configuration I tested. In comment
#51, you said:
can you please install ports/security/openssh-portable
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #55 from Cy Schubert ---
Another option that I was reluctant to mention at the time but I'll say it
anyway, is: You can export your KDC and reimport using a different algorithm. I
don't know how you feel about this but it is an
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #54 from Cy Schubert ---
(In reply to amendlik from comment #53)
My hypothesis is confirmed.
My kdc's keys are encrypted using an older algorithm. I had exported the kdc
and imported it using new keys to update it ~ 15 years ag
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #53 from amend...@gmail.com ---
Did those logs verify your hypothesis of the problem?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #52 from amend...@gmail.com ---
Here is the server-side log:
debug2: load_server_config: filename /usr/local/etc/ssh/sshd_config
debug2: load_server_config: done config len = 1008
debug2: parse_server_config_depth: config /usr/l
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #51 from Cy Schubert ---
can you please install ports/security/openssh-portable@gssapi or pkg install
openssh-portable-gssapi. This uses MIT KRB5 instead of Heimdal and will either
substantiate or disprove my hypothesis.
--
Yo
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #50 from Cy Schubert ---
(In reply to amendlik from comment #49)
Thanks. I managed to get that far. Have yet to test it on the VMs at $JOB.
I'll be pretty much AFK for the next two weeks with spotty access to a keyboard
during
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #49 from amend...@gmail.com ---
As I've mentioned several times, I have this entire infrastructure working
perfectly. The only thing I had to do was force FreeIPA to issue type-18
tickets. The only issue I've run into is with the
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #48 from Cy Schubert ---
(In reply to Michael Osipov from comment #47)
Thanks for this tool. This is certainly an option for FreeBSD users when
joining A/D domains. It is not only a port but a binary package. Many
commercial sit
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #47 from Michael Osipov ---
(In reply to Cy Schubert from comment #46)
FWIW, you can use msktutil(8) to join Active Directory. It works very well. I
am a co-maintainer of that tool.
--
You are receiving this mail because:
You
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #46 from Cy Schubert ---
Looking further at FreeIPA, there is no way to use MIT KRB5 kadmin command to
manage or even look at the database because there is no kadmin ACL file.
FreeIPA must be managed through ipa-* commands. I th
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #45 from Cy Schubert ---
How did you add the FreeBSD servers to the FreeIPA Kerberos realm?
After you added the host principals to the Kerberos realm, did you export
(using xst in kadmin) the principals to keytab files and copy
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #44 from Cy Schubert ---
(In reply to amendlik from comment #43)
Both.
After installing openssh-portable-gssapi, in rc.conf set:
sshd_program="/usr/local/sbin/sshd"
sshd_flags="-f /usr/local/etc/ssh/sshd_config"
Edit /usr/loc
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #43 from amend...@gmail.com ---
I have asked the same question 6 times now and still do not have an answer.
(See comment #29, comment ##33, comment #35, comment #37, comment #39 and
comment #41) I will try to ask it again because
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #42 from Cy Schubert ---
(In reply to amendlik from comment #41)
My original plan was to bypass FreeBSD pam_krb5 and use pam_krb5 from ports but
that required the patch. Realizing now that ports/security/openssh-portable
suppor
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #41 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #40)
Please answer this one question so I know what you are asking me to test:
should I be using GSSAPI or PAM?
If you could also explain why, that would be
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #40 from Cy Schubert ---
(In reply to amendlik from comment #39)
I haven't reached any conclusions yet. I don't know if FreeBSD Heimdal is at
fault. It could be. Even if it is there is no quick solution. The progress with
the 7
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #39 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #38)
I never said I couldn't apply a patch, only that I had never done it before. I
also build my own ports, so I'm not sure why it's important that I'm a bin
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #38 from Cy Schubert ---
(In reply to amendlik from comment #37)
The former.
You don't have the means or ability to apply a patch -- the vast majority of
people don't and I (with 45 years of IT experience I seem to forget this
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #37 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #36)
I'm trying to get us on the same page in terms of requirements, outcomes, and
test environment. What did you read in my last comment that led you to that
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #36 from Cy Schubert ---
Then the only option I have is to try and get a copy of FreeIPA, deploy it here
and try to reproduce your problem here. While my MIT KDC built from the port
works and theirs doesn't, I will need to deplo
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #35 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #34)
We seem to be discussing at least 3 different authentication mechanisms that
could all properly be called "Kerberos authentication":
1) OpenSSH with GSS
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
Cy Schubert changed:
What|Removed |Added
Status|New |Open
--- Comment #34 from Cy Schuber
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #33 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #32)
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
See slide 5.
What configuration should I be using?
--
You are receiving thi
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #32 from Cy Schubert ---
(In reply to amendlik from comment #31)
You are mistaken. When enabled PAM is used for all authentications.
Who told you this falsehood?
--
You are receiving this mail because:
You are the assignee fo
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #31 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #30)
PAM is configured that way, but I later learned that PAM is only used for
Password authentication (see comment #25), so I turned off PAM to avoid
confusi
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #30 from Cy Schubert ---
(In reply to amendlik from comment #29)
Didn't you say in comment #8 you were using pam_sss?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #29 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #28)
As I mentioned earlier, the patch did not seem like it would help in my
environment because I'm using GSSAPI with PAM disabled.
Are you saying that I ne
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #28 from Cy Schubert ---
(In reply to amendlik from comment #27)
The following will fail:
PubkeyAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #27 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #26)
To keep things simple, I have disabled PAM and all authentication methods
except GSSAPI.
PubkeyAuthentication no
ChallengeResponseAuthentication no
Passw
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #26 from Cy Schubert ---
(In reply to amendlik from comment #25)
This is likely because of some customization FreeIPA made to their MIT KRB5.
Red Hat does this too.
Rather than give you a precise and factual description of libr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #25 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #24)
I've done some reading on the FreeIPA client (which would be the server running
sshd) setup and learned that PAM is only used for password authentication
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #24 from Cy Schubert ---
(In reply to amendlik from comment #23)
Correct. You misunderstand.
FreeIPA has an MIT KRB5 KDC running on top of Linux O/S.
I an running and have tested on a MIT KRB5 KDC running on a FreeBSD O/S. The
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #23 from amend...@gmail.com ---
(In reply to Cy Schubert from comment #22)
I'm having some trouble understanding these log messages. Is this from the
client or the server? It seems like you are providing evidence that sshd works
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #22 from Cy Schubert ---
(In reply to amendlik from comment #21)
debug3: order_hostkeyalgs: have matching best-preference key type
ssh-ed25519-cert-...@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #21 from amend...@gmail.com ---
Can you look at what encryption algorithm is being issued by your MIT KDC? If
it is encryption type 19 or 20, then I would agree that there is some
incompatibility with FreeIPA.
One reason I'm not
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #20 from Cy Schubert ---
(In reply to amendlik from comment #19)
Correct. This bypasses the GSSAPI code in sshd forcing it to rely on PAM
entirely. I tested this here using my MIT KRB5 using pam_krb5 port
(security/pam_krb5) bui
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #19 from amend...@gmail.com ---
I see that you're trying to prevent sshd from calling the built-in Heimdal for
an installation that delegates authentication to PAM, but shouldn't it work
that way without changing the compile-time
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #18 from Cy Schubert ---
Created attachment 238708
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238708&action=edit
Optionalize GSSAPI.
On second thought, try this anyway. FreeBSD sshd hooks into Heimdal regardless
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #17 from Cy Schubert ---
(In reply to amendlik from comment #16)
It would appear it does not work with Heimdal in FreeBSD (though FreeBSD
heimdal does work with my MIT KRB5 1.20.1 KDC here). This suggests that FreeIPA
is not ful
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #16 from amend...@gmail.com ---
I'm trying to eliminate version mismatches by logging on to SSH from the same
host, so the client and server are the same system. The only other server
involved is the KDC, which is running Linux a
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #15 from Cy Schubert ---
(In reply to amendlik from comment #14)
Possibly. Can you post ssh -vvv output, please.
It may be accepting the ticket but refusing to allow the client because one end
or another doesn't support ciphers
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #14 from amend...@gmail.com ---
I have confirmed that I have the right packages/options to use SSSD with MIT
Kerberos. I also tried configuring pam_krb5 as you suggested, and it had no
effect.
Is it possible that SSH is rejectin
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #13 from Cy Schubert ---
(In reply to Michael Osipov from comment #12)
He didn't elaborate. Though in the discussion after the session he did say they
wanted to UID-like field in the database (he was probably referring to the SI
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #12 from Michael Osipov ---
(In reply to Cy Schubert from comment #11)
Thanks for the course in the history. Oh wow, MS did a lot of dick moves. This
being one of them. They have also been deviating the RFCs for Kerberos. E.g.,
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #11 from Cy Schubert ---
(In reply to Michael Osipov from comment #10)
It does!
I was at LISA 2000 at the Kerberos SIG session. After the session, speaking to
Paul Hill, Project Athena (MIT KRB5) team lead, he was lamenting the
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #10 from Michael Osipov ---
(In reply to Cy Schubert from comment #9)
I highly doubt that Active Directory has any MIT Kerberos code in it. Do you
know for sure?
--
You are receiving this mail because:
You are the assignee fo
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #9 from Cy Schubert ---
(In reply to amendlik from comment #8)
Probably. I haven't used it with MIT. We use it at $JOB with Active Directory
(which itself is M$'s embraced and extended MIT + LDAP).
--
You are receiving this ma
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #8 from amend...@gmail.com ---
I'm using pam_sss.so, rather than pam_krb5.so. Do you know if it's possible to
use MIT Kerberos with SSSD?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #7 from Cy Schubert ---
(In reply to Michael Osipov from comment #6)
In that case you would need to xst a new keytab.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #6 from Michael Osipov ---
(In reply to amendlik from comment #3)
Please check wether the keytab on the target server supports the encryption:
"klist -k -e" with MIT Kerberos as well. You could also try gss-server and
gss-clien
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #5 from Cy Schubert ---
(In reply to Cy Schubert from comment #4)
That should be pam_krb5 instead of pam_krbt.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #4 from Cy Schubert ---
You can circumvent Heimdal with MIT by pkg install pam_krbt krb5.
Then replace the pam_krb5 lines in /etc/pam.d/sshd with the following:
authsufficient /usr/local/lib/security/pam_krb5.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #3 from amend...@gmail.com ---
The built-in Heimdal klist does not support the `-e` parameter. The MIT package
(security/krb5) does, although it gives an error:
klist: Unknown credential cache type while resolving ccache
Here
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
Cy Schubert changed:
What|Removed |Added
CC||c...@freebsd.org
--- Comment #2 from
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
Michael Osipov changed:
What|Removed |Added
CC||michael.osi...@siemens.com
--- Co
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
Bug ID: 268186
Summary: Kerberos authentication fails with a Linux/FreeIPA KDC
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
67 matches
Mail list logo
