Does OpenSSH+GSSAPI interoperate between Heimdal and MIT?
Peter Losher
Peter_Losher at isc.org
Tue Jul 26 06:09:29 EST 2005
On Sunday 24 July 2005 03:01 am, Sergio Gelato wrote:
> * Peter Losher [2005-07-23 19:04:21 -0700]:
> > I have a freshly installed FreeBSD 6.0-BETA1 system, which comes with
> > Heimdal
>
> Which version of Heimdal? 0.6 or 0.7?
0.6.3.
> With 0.6, there is at least one issue you need to pay attention to,
> involving the des3 MIC algorithm. Older Heimdal had an over-the-wire
> incompatibility with MIT. This was fixed in 0.6, but not enabled by default
> until 0.7; if you want to enable it, you need to add a
>
> [gssapi]
> correct_des3_mic = *
>
> to your krb5.conf. See the Heimdal documentation for further details, in
> particular if you need to talk to pre-0.6 Heimdal. (The * is a regular
> expression matching the service principal.)
>
> I'm not sure that this is your problem, but there is a good chance...
Thanks, with some tweaking (and reading 'man gssapi' on the system) it works:
-=-
[gssapi]
correct_des3_mic = */*@*
-=-
Thanks for the pointer!
Best WIshes - Peter
--
Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050725/8e4e20a9/attachment.bin
More information about the openssh-unix-dev
mailing list