GSSAPI Kerberos Differences between 5.1p1 and 5.2p1?

John Marshall john.marshall at riverwillow.com.au
Fri Oct 2 17:29:29 EST 2009


On Fri, 17 Jul 2009, 16:57 +1000, John Marshall wrote:
> I'm trying to find clues on what may have changed for GSSAPI (Kerberos)
> authentication between OpenSSH 5.1p1 and 5.2p1.  We have been using
> GSSAPI authentication for ssh for about 18 months with no problem with
> the OpenSSH build that is bundled with the FreeBSD operating system.
> All of those machines have OpenSSH 5.1p1.  Last week I upgraded one of
> the servers to FreeBSD 8.0-BETA1 (yes, I know, BETA) which includes
> OpenSSH 5.2p1.
> 
> GSSAPI authentication no longer works properly for access to the OpenSSH
> 5.2p1 server.  I think I've narrowed this down to OpenSSH 5.2p1 because
> if I install the FreeBSD OpenSSH port (5.2p1) on one of our FreeBSD
> 7.2-RELEASE servers, I am seeing the same symptoms.

This turned out to be a gssapi-with-mic compatibility issue between
different versions of Heimdal.  My misplaced implication of OpenSSH
5.2p1 was due to the fact that I had linked it against a newer version
of Heimdal.

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20091002/72a70369/attachment.bin>


More information about the openssh-unix-dev mailing list