https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
Cy Schubert <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #34 from Cy Schubert <[email protected]> --- (In reply to amendlik from comment #33) Yes but if you disable GSSAPI in sshd_config and enable PAM, authentication will be by PAM only. You are misreading their slide to infer that this is baked into the code. My patch disables linking of Heimdal libraries into OpenSSH so that it does not interfere with pam_krb5 from ports or any other PAM module that has external references to MIT KRB5 symbols that can be construed (because they have the same names) by the runtime linker to use the Heimdal library references already linked into sshd. Please try the attached patch, disable GSSAPI and Kerberos authentication, enable PAM in sshd_config, and restart sshd. I cannot reproduce your problem here with or without the patch though the patch does allow me to use pam_krb5 from ports instead of pam_krb5 supplied by the base O/S. As you're a binary package user, let's try to avoid rebuilding anything for now. Looking at your ssh -vvv output, I see, debug2: peer server KEXINIT proposal debug2: KEX algorithms: [email protected],diffie-hellman-group-exchange-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr The KEX and ciphers I send are: debug2: local client KEXINIT proposal debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 What does your Linux /etc/ssh/ssh_config and your Linux ~/.ssh/config look like? On the Linux machine, what is the output of ssh -V ? At the moment I'm not sure you've diagnosed the problem correctly to suggest it's a Kerberos issue. -- You are receiving this mail because: You are the assignee for the bug.
