Does OpenSSH+GSSAPI interoperate between Heimdal and MIT?

Sergio Gelato Sergio.Gelato at
Sun Jul 24 20:01:05 EST 2005

* Peter Losher [2005-07-23 19:04:21 -0700]:
> I have a freshly installed FreeBSD 6.0-BETA1 system, which comes with Heimdal 

Which version of Heimdal? 0.6 or 0.7?

With 0.6, there is at least one issue you need to pay attention to, involving
the des3 MIC algorithm. Older Heimdal had an over-the-wire incompatibility 
with MIT. This was fixed in 0.6, but not enabled by default until 0.7; if you
want to enable it, you need to add a

	correct_des3_mic = *

to your krb5.conf. See the Heimdal documentation for further details, in
particular if you need to talk to pre-0.6 Heimdal. (The * is a regular
expression matching the service principal.)

I'm not sure that this is your problem, but there is a good chance...

> & OpenSSH w/GSSAPI enabled (version 4.1p1 FreeBSD-20050605)  Most of the 
> servers I connect to have OpenSSH w/GSSAPI enabled but they use MIT Kerberos 
> (1,3.x and 1.4.x)  Now, I can use ticket authentication between all systems 
> where the libraries are all the same (Heimdal or MIT), but trying to use, for 
> example, a client built w/ Heimdal and a server that is built w/ MIT, it 
> fails w/ this error:
> -=-
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1:  Miscellaneous failure (see text)
> debug1: Trying to start again
> debug2: we did not send a packet, disable method
> -=-
> Has anyone experienced this, and if so, how did they get around it (if they 
> did)?
> Best Wishes - Peter
> -- 
> Peter_Losher at | ISC | OpenPGP 0xE8048D08 | "The bits must flow"

More information about the openssh-unix-dev mailing list