Simon Wilkinson <[EMAIL PROTECTED]> writes: > On 5 Jul 2007, at 03:47, Fredrik Tolf wrote: > >> >> I'm having some trouble SSH:ing from FreeBSD systems to Linux systems >> using GSSAPI authentication. The sshd on the server complains with >> "GSSAPI MIC check failed". > > This is usually a Kerberos library version issue. Which Kerberos > libraries are you using on either side of the connection. If you are > using Heimdal on the FreeBSD side, can you update to a later version?
Yes, you are right. I managed to find it out on my own very recently. I was going to post back to this list with the solution, but you replied earlier than that. :) As it turns out, FreeBSD ships with Heimdal 0.6, and Heimdal versions *earlier* than that had a broken implementation of the MIC generation. It is actually fixed in 0.6, but it still ships with the old, broken version turned on by default, to not break compatibility with previous installations. However, it is apparently possible to tell Heimdal 0.6 to use the correct MIC generation for selected principals. You add something akin to the following to your /etc/krb5.conf: [gssapi] correct_des3_mic = host/[EMAIL PROTECTED] You can specify multiple "corrent_des3_mic" entries if you want, and the right side of it is parsed as a normal principal and matched against the target principal in the normal manner. I've read that Heimdal 0.7 has correct MIC generation turned on by default, and if you wish to interoperate with older, broken servers, you would need to specify "broken_des3_mic" entries for those servers instead. I hope this will be useful to someone else. While I've been googling around for this answer, I appear not to have been alone in my problems. Fredrik Tolf
