Re: Kerberos
On Sat, 30 Jul 2022, Michael Dinon wrote: > Is it normal to have a Local Kerberos Realm configured on a brand new > MacBook? Wrong mailing list! You must have meant to send the question to freebsd-questi...@freebsd.org. That is where OS X users congregate. Cheers, Predrag
Re: Kerberos SSH routing tables problem
The __automatic table is created by pfctl's ruleset optimiser, probably
from $broken.
I suspect this ilauncher program is tripping either sshguard or your
max-src-conn-rate or max-src-conn rules.
--
Sent from a phone, apologies for poor formatting.
On 6 September 2019 03:57:04 Predrag Punosevac wrote:
On 2019-08-02, Stuart Henderson wrote:
On 2019-07-29, Predrag Punosevac wrote:
Hi Misc,
I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
our remote location
ubnt1# uname -mrsv
OpenBSD 6.5 GENERIC.MP#0 octeon
The desktops behind the firewall have to use Kerberised SSH to perform
some work on one of .mil servers. I opened egress ports kerberos,
klogin, kshell TCP protocol as well as kerberos UDP. After the work is
finished and desktops are "logged out" routing tables (dns) are in a bad
state on the firewall. A simple
pfctl -F all -f /etc/pf.conf
fixes the problem and desktops can again do DNS resolving and surfing
the Internet.
Could somebody give me a head start how to go about further trouble
shooting and fixing the problem? Obviously flashing states is not very
convenient.
Most Kind Regards,
Predrag Punosevac
Hi Sthen,
I apologize for long silence. I got busy with other stuff and this got
put onto the back burner.
Can you go into some more details about what the "bad state" is?
Please forgive me for repating some things from my original email. After
rereading it I realized that I sounded like a mentally disturb
individual.
As I mentioned in my original email my folks are using Kerberised SSH to
log into some .mil computing nodes. OpenBSD 6.5 release running of
Edgerouter lite provides PF/Unbound DNS caching resolver to our office
computers. In order to reach .mil server I opened in egress direction
bunch of kerberos related ports. Thing worked like a charm. Then one day
somebody start complaining that after the Kerberized ssh session with
.mil server is closed they no longer can connect to the Internet.
Original problem report was complaining about non reachable DNS resolver
on my firewall but after further investigation I tracked down problem to
state of PF tables.
To make things more convoluted I discovered that actually problem was
not caused per se by Kerberized SSH session but a .mil homemade
application called ilauncher session. iluncher provides a web interface
similar to CUPS http://localhost:631 which is used to manage/connect
access to bunch of scientific related software packages (Jupyter
Notebooks, RStudio, etc) in a "user friendly" way. After the ilauncher
session is finished my firewall refuses any network connection to the
workstation from which ilauncher was run. The only remedy is to clear
all tables. Note that I always see that three tables are cleared when I
do
pfctl -F Tables
After that everything works as expected. Right now
ubnt1# pfctl -s Tables
lists no tables while on my home network with similar firewall rules I
see three tables.
minix# pfctl -s Tables
__automatic_1c228804_0
bruteforce
sshguard
This is our office pf.conf file. I am planning to reproduce one more
time problem but this time to start flashing tables one by one until I
see which one is related to that ilauncher thing.
ext_if="cnmac0"
int_if="cnmac1"
dmz_if="cnmac2"
lan_net = "{192.168.1.0/24}"
broken = "{224.0.0.22, 127.0.0.0/8, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 192.168.100.0/24 \
198.51.100.0/24, 203.0.113.0/24, \
0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}"
table persist
table persist
tcp_services = "{ssh, submission, imaps, http, https, 30041, 8080, \
kerberos, klogin, kshell}"
udp_services= "{domain, ntp, kerberos}"
set block-policy return
set limit states 10
set loginterface $ext_if
set optimization normal
set ruleset-optimization basic
set skip on lo
set state-policy floating
set timeout interval 10
set timeout frag 30
set timeout src.track 0
set state-defaults pflow
match in all scrub (no-df max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block quick from
block in quick on $ext_if proto tcp from \
to any port ssh label "ssh bruteforce"
antispoof quick for { $int_if $ext_if }
block drop in quick on egress from {$broken, no-route} to any
block drop in quick from urpf-failed to any
block drop in quick on ! lo0 proto tcp to port 6000:6010
block all
pass inet proto icmp all icmp-type { echoreq, unreach }
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services
pass log on $ext_if inet proto tcp from any to any port {ssh} \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload flush global)
pass inet proto tcp from {$lan_net} to any port $tcp_services
pass inet proto udp from {$lan_net} to any port $udp_services
"routing tables (dns) are in a bad state on the firewall"
Re: Kerberos SSH routing tables problem
On 2019-08-02, Stuart Henderson wrote:
> On 2019-07-29, Predrag Punosevac wrote:
> > Hi Misc,
> >
> > I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
> > our remote location
> >
> > ubnt1# uname -mrsv
> > OpenBSD 6.5 GENERIC.MP#0 octeon
> >
> > The desktops behind the firewall have to use Kerberised SSH to perform
> > some work on one of .mil servers. I opened egress ports kerberos,
> > klogin, kshell TCP protocol as well as kerberos UDP. After the work is
> > finished and desktops are "logged out" routing tables (dns) are in a bad
> > state on the firewall. A simple
> >
> > pfctl -F all -f /etc/pf.conf
> >
> > fixes the problem and desktops can again do DNS resolving and surfing
> > the Internet.
> >
> > Could somebody give me a head start how to go about further trouble
> > shooting and fixing the problem? Obviously flashing states is not very
> > convenient.
> >
> > Most Kind Regards,
> > Predrag Punosevac
> >
> >
>
Hi Sthen,
I apologize for long silence. I got busy with other stuff and this got
put onto the back burner.
> Can you go into some more details about what the "bad state" is?
>
Please forgive me for repating some things from my original email. After
rereading it I realized that I sounded like a mentally disturb
individual.
As I mentioned in my original email my folks are using Kerberised SSH to
log into some .mil computing nodes. OpenBSD 6.5 release running of
Edgerouter lite provides PF/Unbound DNS caching resolver to our office
computers. In order to reach .mil server I opened in egress direction
bunch of kerberos related ports. Thing worked like a charm. Then one day
somebody start complaining that after the Kerberized ssh session with
.mil server is closed they no longer can connect to the Internet.
Original problem report was complaining about non reachable DNS resolver
on my firewall but after further investigation I tracked down problem to
state of PF tables.
To make things more convoluted I discovered that actually problem was
not caused per se by Kerberized SSH session but a .mil homemade
application called ilauncher session. iluncher provides a web interface
similar to CUPS http://localhost:631 which is used to manage/connect
access to bunch of scientific related software packages (Jupyter
Notebooks, RStudio, etc) in a "user friendly" way. After the ilauncher
session is finished my firewall refuses any network connection to the
workstation from which ilauncher was run. The only remedy is to clear
all tables. Note that I always see that three tables are cleared when I
do
pfctl -F Tables
After that everything works as expected. Right now
ubnt1# pfctl -s Tables
lists no tables while on my home network with similar firewall rules I
see three tables.
minix# pfctl -s Tables
__automatic_1c228804_0
bruteforce
sshguard
This is our office pf.conf file. I am planning to reproduce one more
time problem but this time to start flashing tables one by one until I
see which one is related to that ilauncher thing.
ext_if="cnmac0"
int_if="cnmac1"
dmz_if="cnmac2"
lan_net = "{192.168.1.0/24}"
broken = "{224.0.0.22, 127.0.0.0/8, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 192.168.100.0/24 \
198.51.100.0/24, 203.0.113.0/24, \
0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}"
table persist
table persist
tcp_services = "{ssh, submission, imaps, http, https, 30041, 8080, \
kerberos, klogin, kshell}"
udp_services= "{domain, ntp, kerberos}"
set block-policy return
set limit states 10
set loginterface $ext_if
set optimization normal
set ruleset-optimization basic
set skip on lo
set state-policy floating
set timeout interval 10
set timeout frag 30
set timeout src.track 0
set state-defaults pflow
match in all scrub (no-df max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block quick from
block in quick on $ext_if proto tcp from \
to any port ssh label "ssh bruteforce"
antispoof quick for { $int_if $ext_if }
block drop in quick on egress from {$broken, no-route} to any
block drop in quick from urpf-failed to any
block drop in quick on ! lo0 proto tcp to port 6000:6010
block all
pass inet proto icmp all icmp-type { echoreq, unreach }
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services
pass log on $ext_if inet proto tcp from any to any port {ssh} \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload flush global)
pass inet proto tcp from {$lan_net} to any port $tcp_services
pass inet proto udp from {$lan_net} to any port $udp_services
> "routing tables (dns) are in a bad state on the firewall" doesn't
> explain much (and doesn't really make sense, dns has nothing to do with
> routing tables..)
I am not much of a network guy but I have seen fair share of crazy
things. However I am stamped by
Re: Kerberos SSH routing tables problem
On 2019-07-29, Predrag Punosevac wrote: > Hi Misc, > > I am using Edgerouter lite as a firewall/DNS cashing resolver for one of > our remote location > > ubnt1# uname -mrsv > OpenBSD 6.5 GENERIC.MP#0 octeon > > The desktops behind the firewall have to use Kerberised SSH to perform > some work on one of .mil servers. I opened egress ports kerberos, > klogin, kshell TCP protocol as well as kerberos UDP. After the work is > finished and desktops are "logged out" routing tables (dns) are in a bad > state on the firewall. A simple > > pfctl -F all -f /etc/pf.conf > > fixes the problem and desktops can again do DNS resolving and surfing > the Internet. > > Could somebody give me a head start how to go about further trouble > shooting and fixing the problem? Obviously flashing states is not very > convenient. > > Most Kind Regards, > Predrag Punosevac > > Can you go into some more details about what the "bad state" is? "routing tables (dns) are in a bad state on the firewall" doesn't explain much (and doesn't really make sense, dns has nothing to do with routing tables..)
Re: Kerberos SSH routing tables problem
Ran into a similar issue on my ERL when I used egress in my pf rules. Ended up trunking the ethernet ports using aggr(4) and switched to using that interface in my rules, got failover as a bonus. Still not sure why egress behaves this way and if its a bug or my own misunderstanding. Running OpenBSD 6.5-current (GENERIC.MP). If this doesn't apply to your situation apologies and disregard. On Mon, Jul 29, 2019 at 03:05:14PM -0400, Predrag Punosevac wrote: Hi Misc, I am using Edgerouter lite as a firewall/DNS cashing resolver for one of our remote location ubnt1# uname -mrsv OpenBSD 6.5 GENERIC.MP#0 octeon The desktops behind the firewall have to use Kerberised SSH to perform some work on one of .mil servers. I opened egress ports kerberos, klogin, kshell TCP protocol as well as kerberos UDP. After the work is finished and desktops are "logged out" routing tables (dns) are in a bad state on the firewall. A simple pfctl -F all -f /etc/pf.conf fixes the problem and desktops can again do DNS resolving and surfing the Internet. Could somebody give me a head start how to go about further trouble shooting and fixing the problem? Obviously flashing states is not very convenient. Most Kind Regards, Predrag Punosevac -- Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it. signature.asc Description: PGP signature
Re: kerberos
On 09/12/15 15:13, Friedrich Locke wrote: What is/are the alternative(ies) for kerberos on openbsd ? (Since is was removed from the distribution). Thanks. Don't know if you can compile it, but the commit-remove msg is all time classic :) http://marc.info/?l=openbsd-cvs=139816103911227=2 G
Re: kerberos
On Wed, Dec 09, 2015 at 11:13:40AM -0200, Friedrich Locke wrote: > What is/are the alternative(ies) for kerberos on openbsd ? (Since is was > removed from the distribution). I use kerberos from ports every day with FF. Unfortunatelly other apps from ports don't have krb flavor so you either have to recompile it yourself or just live without krb support. j.
Re: kerberos
On Wed, Dec 09, 2015 at 11:13:40AM -0200, Friedrich Locke wrote: > What is/are the alternative(ies) for kerberos on openbsd ? (Since is was > removed from the distribution). It depends on your exact needs, but there's: ports/security/heimdal ports/sysutils/login_krb5 -- Antoine
Re: kerberos
On 12/09/15 17:45, Friedrich Locke wrote: > I am a little outdated, but was heimdal removed from the bsd world or it > was just moved from the base system to the ports collection ? > > Thanks. > > Ports /usr/ports/security/heimdal
Re: Kerberos disabled in SSH now?
Kerberos is disabled per default in SSH now? Any plans to enable it again? I would also like to know about this (was a nasty surprise when I couldn't log into work after a snapshot upgrade!). Are there also plans to remove this from openssh-portable, or is this just limited to OpenBSD's ssh? -Steve
Re: Kerberos URL
On Sat, May 07, 2011 at 09:28:48PM -0500, Markus Peloquin wrote: On Fri, 2011-05-06 at 16:20 +0100, Jason McIntyre wrote: On Fri, May 06, 2011 at 09:39:48AM -0500, Vijay Sankar wrote: man 8 kerberos has the following URL http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html It should be http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html kerberos docs are maintained by the kerberos (heimdal) project. you should check whether their latest source has this problem and send them your fix if it does. jmc For some reason, OpenBSD is six releases behind on heimdal (0.8, 1.0, ..., 1.4). It strikes me as odd, especially when heimdal is using a liberal license (unlike gcc which was forked before GPLv4). Too much work to update it at this point? it's simple. someone has to do the work. jmc
Re: Kerberos URL
On Sun, May 08, 2011 at 08:26:04AM +0100, Jason McIntyre wrote: On Sat, May 07, 2011 at 09:28:48PM -0500, Markus Peloquin wrote: On Fri, 2011-05-06 at 16:20 +0100, Jason McIntyre wrote: On Fri, May 06, 2011 at 09:39:48AM -0500, Vijay Sankar wrote: man 8 kerberos has the following URL http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html It should be http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html kerberos docs are maintained by the kerberos (heimdal) project. you should check whether their latest source has this problem and send them your fix if it does. jmc For some reason, OpenBSD is six releases behind on heimdal (0.8, 1.0, ..., 1.4). It strikes me as odd, especially when heimdal is using a liberal license (unlike gcc which was forked before GPLv4). Too much work to update it at this point? it's simple. someone has to do the work. Yes indeed. Somebody who feels the need. I know the name of at least one person. -Otto
Re: Kerberos URL
On 2011-05-08, Jason McIntyre j...@cava.myzen.co.uk wrote: On Sat, May 07, 2011 at 09:28:48PM -0500, Markus Peloquin wrote: On Fri, 2011-05-06 at 16:20 +0100, Jason McIntyre wrote: On Fri, May 06, 2011 at 09:39:48AM -0500, Vijay Sankar wrote: man 8 kerberos has the following URL http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html It should be http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html kerberos docs are maintained by the kerberos (heimdal) project. you should check whether their latest source has this problem and send them your fix if it does. jmc For some reason, OpenBSD is six releases behind on heimdal (0.8, 1.0, ..., 1.4). It strikes me as odd, especially when heimdal is using a liberal license (unlike gcc which was forked before GPLv4). Too much work to update it at this point? it's simple. someone has to do the work. note that someone doesn't have to be someone who is already an OpenBSD developer.
Re: Kerberos URL
On Fri, 2011-05-06 at 16:20 +0100, Jason McIntyre wrote: On Fri, May 06, 2011 at 09:39:48AM -0500, Vijay Sankar wrote: man 8 kerberos has the following URL http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html It should be http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html kerberos docs are maintained by the kerberos (heimdal) project. you should check whether their latest source has this problem and send them your fix if it does. jmc For some reason, OpenBSD is six releases behind on heimdal (0.8, 1.0, ..., 1.4). It strikes me as odd, especially when heimdal is using a liberal license (unlike gcc which was forked before GPLv4). Too much work to update it at this point? --- kerberos.8 Mon May 7 13:04:03 2007 +++ kerberos.8.tmp Fri May 6 09:37:19 2011 @@ -73,7 +73,7 @@ .Pp For more information on how Kerberos works, and other general Kerberos questions see the Kerberos FAQ at -.Pa http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html . +.Pa http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html . .Pp For setup instructions see the Heimdal Texinfo manual. .Sh SEE ALSO Vijay Sankar vsan...@foretell.ca
Re: Kerberos URL
On Fri, May 06, 2011 at 09:39:48AM -0500, Vijay Sankar wrote: man 8 kerberos has the following URL http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html It should be http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html kerberos docs are maintained by the kerberos (heimdal) project. you should check whether their latest source has this problem and send them your fix if it does. jmc --- kerberos.8 Mon May 7 13:04:03 2007 +++ kerberos.8.tmp Fri May 6 09:37:19 2011 @@ -73,7 +73,7 @@ .Pp For more information on how Kerberos works, and other general Kerberos questions see the Kerberos FAQ at -.Pa http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html . +.Pa http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html . .Pp For setup instructions see the Heimdal Texinfo manual. .Sh SEE ALSO Vijay Sankar vsan...@foretell.ca
Re: Kerberos: Server not found in database: krbtgt/ualberta...@realm
On Mon, 4 Oct 2010, Clint Pachl wrote:
In the KDC log file, I get the following errors:
2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for
afs/ualberta...@mokaz.com
2010-10-04T02:40:11 Server not found in database: afs/ualberta...@mokaz.com:
No such entry in the database
2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for
krbtgt/ualberta...@mokaz.com
2010-10-04T02:40:11 Server not found in database:
krbtgt/ualberta...@mokaz.com: No such entry in the database
Why am I getting these errors? Are they compiled in?
How do I quiet this?
For clients, all of my Kerberos settings are in DNS; there is no krb5.conf.
Here is krb5.conf on the Kerberos server:
Try adding the following into your krb5.conf:
[appdefaults]
kinit = {
afslog = no
}
Or comment the entry in /etc/afs/ThisCell.
--
Antoine
Re: Kerberos ~/.k5user file
On Mon, 2008-04-07 at 20:48 -0700, Clint Pachl wrote: Is the ~/.k5user file supported in OpenBSD's Heimdal implementation? I'm ... BTW, what is /root/.klogin? Is it for kerberos 4? It doesn't have a man Yes, it is (was) for krb4. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: kerberos - incorrect net address
My previous message was probably a bit dense, so I'll try my best to get right to the point. kerberos kinit was failing, giving me the error incorrect net address The kdc.log file indicated that the request was coming from ::1 (the IPv6 loopback, is that right?) After much looking, I found that I could get it to succeed with just one change: I changed my /etc/hosts file, so it read only: 10.0.1.202 auth.my.realm auth ::1 auth.my.realm auth (so that 10.0.1.202 was first, instead of ::1) kinit then succeeded My questions are: It works, but I'm betting it's not the 'right thing to do' so, what is? Where else should I look? I'm trying to understand how kinit came up with ::1, so that maybe I can figure out the 'right way to fix it' (I'm not a developer, but) I'm guessing since kinit needs to get a default IP address, it first gets a hostname (maybe gethostbyname() or something like it) and then does some sort of lookup from hostname to address (maybe res_query() or something like it) I'm guessing that the hostname to address is the problem, would this explain why changing /etc/hosts worked? Thanks
Re: kerberos - incorrect net address
On Tue, 03 Jul 2007 03:39:51 + Douglas Maus [EMAIL PROTECTED] wrote: Could someone help me understand IP addresses, DNS, and Kerberos on OpenBSD? I was getting incorrect net address when trying to kinit, and I found that switching 2 lines in /etc/hosts putting first 10.0.1.201 auth.my.realm auth before ::1 auth.my.realm auth fixed this, but I don't understand this and I suspect this means I'm doing something else wrong. When kinit asks for a ticket i encodes the hosts address in the request. The KDC then compares the encoded address with the address in the IP-header and if they don't match you'll get this error. I started the kdc: # /usr/libexec/kdc but when I tried # kinit admin or # kinit admin --no-address I got incorrect net address Options goes before the pricipal, i.e. # kinit --no-addresses admin There are some configuration options that affects this as well; search krb5.conf(5) -- Bjvrn Sandell Chalmers University of Technology IT Services www.chalmers.se/its +46 (0)31 772 1000 No one ever says, 'I can't read that ASCII E-mail you sent me.'
Re: Kerberos
From: [EMAIL PROTECTED] you may have to fish online for some of the option descriptions since stuff like correct_des3_mic aren't in the manpage for krb5.conf. is there any plan to update the manpage with these missing options? Nope. gssapi(3) has that and more. DS
Re: Kerberos
Original message Date: Sat, 15 Jul 2006 23:18:53 -0300 From: Gustavo Rios [EMAIL PROTECTED] Subject: Kerberos To: misc@openbsd.org Well, here i am again. I was expecting that the granted ticket always hold the address to which it is valid. After obtaining a ticket by means of kinit, i got the following: $ kinit [EMAIL PROTECTED]'s Password: $ klist -v Credentials cache: FILE:/tmp/krb5cc_1000 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: des3-cbc-sha1, kvno 1 Auth time: Jul 15 23:11:42 2006 End time: Jul 16 03:11:42 2006 Renew till: Aug 14 23:11:42 2006 Ticket flags: renewable, initial Addresses: just checked this on a local machine and the addresses field is filled out correctly. the IP also follows the ticket when using a forwardable one (kinit -f). look at the default krb5.conf that comes with openbsd and add options until you find which one breaks this. you may have to fish online for some of the option descriptions since stuff like correct_des3_mic aren't in the manpage for krb5.conf. is there any plan to update the manpage with these missing options? The address information line is empty. I don't understand why! Here you have my krb5.conf: insert giant config file
Re: kerberos debugging troubles
On Sun, 2006-07-09 at 18:58 -0500, Jacob Yocom-Piatt wrote: any advice would be appreciated. i suspect that this is some issue related to the KDC runnning current and the other machines being on 3.9 release. this shouldn't matter as the language heimdal speaks is the same, for the most part as far as I know, across versions. Thus the reason you can have MIT and Heimdal servers and clients talk to each other. when running into problems with SSH, the first culprit I always look for is to make sure that the clocks on the corresponding hosts are relatively close. Heimdal usually allows for a 5 minute difference in time on the communicating hosts but can be changed with the 'clockskew' setting in your krb5.conf. later. ryanc -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646
Re: kerberos debugging troubles
From: [EMAIL PROTECTED] the KDC is the only machine on the network that is running current (snap upgraded last night), the rest are on 3.9 release. here are the debugging outputs: debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive the ssh -vvv outputs are not that enlightening, syslogging auth.debug doesn't show anything extra and it's not clear how to, if possible, turn up the kerberos log level. any advice would be appreciated. i suspect that this is some issue related to the KDC runnning current and the other machines being on 3.9 release. I ran into similar failures between versions of OpenBSD (KDC running current and older releases on clients) that I was able to debug down to the level of detecting an error related to MIC failures. I think I had to bump up debugging on sshd to get that. You might try this on the client systems' krb5.conf as it took care of the problem for me: [gssapi] correct_des3_mic = host/[EMAIL PROTECTED] ... or whatever appropriate wildcard you should have. Assuming this works for you, I'd be interested in knowing what the exact nature of the problem is, I hate fixing something blindly without knowing why it's fixed. DS
Re: kerberos debugging troubles
I ran into similar failures between versions of OpenBSD (KDC running current and older releases on clients) that I was able to debug down to the level of detecting an error related to MIC failures. I think I had to bump up debugging on sshd to get that. DS, yah, this appeared in /var/log/authlog for me. You might try this on the client systems' krb5.conf as it took care of the problem for me: [gssapi] correct_des3_mic = host/[EMAIL PROTECTED] ... or whatever appropriate wildcard you should have. Assuming this works for you, I'd be interested in knowing what the exact nature of the problem is, I hate fixing something blindly without knowing why it's fixed. this has fixed most of the problems, except i can't ssh out from the KDC using kerberos auth. messing with broken_des3_mic = host/[EMAIL PROTECTED] will probably fix that, haven't tried it yet. i think this reflects that current has heimdal 0.7 and 3.9 release has 0.6. see http://www.thebestisp.com/man.php/man/gssapi/3 . again, i have not throroughly checked this. thx a bunch, jake DS
Re: kerberos debugging troubles
From: [EMAIL PROTECTED] Assuming this works for you, I'd be interested in knowing what the exact nature of the problem is, I hate fixing something blindly without knowing why it's fixed. this has fixed most of the problems, except i can't ssh out from the KDC using kerberos auth. messing with broken_des3_mic = host/[EMAIL PROTECTED] will probably fix that, haven't tried it yet. i think this reflects that current has heimdal 0.7 and 3.9 release has 0.6. see http://www.thebestisp.com/man.php/man/gssapi/3 . again, i have not throroughly checked this. To turn on compatibility with older clients and servers, change the [gssapi] broken_des3_mic in krb5.conf that contains a list of globbing expressions that will be matched against the server name. To turn off generation of the old (incompatible) mic of the MIC use [gssapi] correct_des3_mic. So maybe you need 'broken_des3_mic' on the KDC instead of 'correct_des3_mic'. DS
