[Graeme Mathieson <firstname.lastname@example.org>]Interoperability between MIT and Heimdal wrt to MIC verification?
Douglas E. Engert
deengert at anl.gov
Mon Nov 4 16:35:01 EST 2002
Sam Hartman wrote:
> Has anyone here seen any GSSAPI interop problems as described here? I
> believe I may have seen this with ssh before but not with any other
> Nick, was this what you saw with NetBSD?
No, but I have tried the SecureCRT using the MS SSPI to an OpenSSH-3.5p1
on Solaris with krb5-1.2.6 with Simon's patches, and they work fine
together. So I would suspect the Hiemdal MIC routines.
> Subject: Interoperability between MIT and Heimdal wrt to MIC verification?
> Date: Mon, 4 Nov 2002 18:14:17 +0000
> From: Graeme Mathieson <mathie+debian-kerberos at wossname.org.uk>
> To: debian-kerberos at mekinok.com
> I've been having just a little bit of trouble over the past couple of
> days, getting Debian and FreeBSD versions of ssh with Simon's gssapi
> keyexchange patches to work. The boxen all talk fine to their own kind,
> but if I try to use my Kerberos ticket on a Debian box to talk to a
> FreeBSD box (or vice-versa), It bombs out with:
> 19127: Disconnecting: Hash's MIC didn't verify
> (the entire output of `ssh -v heimdallr` from the Debian machine to
> the FreeBSD machine is attached.)
> If I tickle the code in ssh/kexgss.c to decode the major & minor errors
> that Kerberos produces, I get the following extra:
> 26063: debug1: A token had an invalid signature
> 26063: debug1: Sequence number in token is corrupt
> I *think* I've narrowed it down to being an interaction between Heimdal
> and MIT Kerberos -- the FreeBSD openssh is built against heimdal,
> whereas the Debian version is the stock ssh-krb5. If I rebuild ssh-krb5
> against the heimdal libraries, everything works happily.
> I made an attempt to look at the code for both --
> heimdal/lib/gssapi/verify_mic.c:gss_verify_mic() and
> krb5/src/lib/gssapi/krb5/k5unseal.c:kg_unseal() perhaps? -- but got very
> confused. :-)
> It is *always* the MIT Kerberos that fails to verify the MIC, or so it
> looks to me anyway.
> Any idea what's going wrong?
>  Nothing to do with the Kerberos on it... We have 2 machines at
> either end of a VPN: heimdallr and rigr. I gathered heimdallr was
> known as rigr by lesser mortals, so heimdallr got installed here and
> rigr in the other office. :-)
>  Which is doesn't do without a little tantrum of its own...
> Right now, there are scr1pt k1dd13s plotting to DDoS my network, my co-lo
> server is not responding to pings and the people that I IRC with may be
> involved in both. I'm sysadmin Graeme Mathieson and this is the longest
> day of my life. http://www.wossname.org.uk/~mathie/
> Debian-kerberos mailing list
> Debian-kerberos at mekinok.com
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev