[Graeme Mathieson <mathie+debian-kerberos@wossname.org.uk>]Interoperability between MIT and Heimdal wrt to MIC verification?

Douglas E. Engert deengert at anl.gov
Mon Nov 4 16:35:01 EST 2002 

Sam Hartman wrote:
> 
> Has anyone here seen any GSSAPI interop problems as described here?  I
> believe I may have seen this with ssh before but not with any other
> applications.
> 
> Nick, was this what you saw with NetBSD?

No, but I have tried the SecureCRT using the MS SSPI to an OpenSSH-3.5p1
on Solaris with krb5-1.2.6 with Simon's patches, and they work fine
together. So I would suspect the Hiemdal MIC routines. 
 
> 
>   --------------------------------------------------------------------------------------------
> 
> Subject: Interoperability between MIT and Heimdal wrt to MIC verification?
> Date: Mon, 4 Nov 2002 18:14:17 +0000
> From: Graeme Mathieson <mathie+debian-kerberos at wossname.org.uk>
> To: debian-kerberos at mekinok.com
> 
> I've been having just a little bit of trouble over the past couple of
> days, getting Debian and FreeBSD versions of ssh with Simon's gssapi
> keyexchange patches to work.  The boxen all talk fine to their own kind,
> but if I try to use my Kerberos ticket on a Debian box to talk to a
> FreeBSD box (or vice-versa), It bombs out with:
> 
> 19127: Disconnecting: Hash's MIC didn't verify
> 
> (the entire output of `ssh -v heimdallr`[1] from the Debian machine to
> the FreeBSD machine is attached.)
> 
> If I tickle the code in ssh/kexgss.c to decode the major & minor errors
> that Kerberos produces, I get the following extra:
> 
> 26063: debug1: A token had an invalid signature
> 26063: debug1: Sequence number in token is corrupt
> 
> I *think* I've narrowed it down to being an interaction between Heimdal
> and MIT Kerberos -- the FreeBSD openssh is built against heimdal,
> whereas the Debian version is the stock ssh-krb5.  If I rebuild ssh-krb5
> against the heimdal libraries[2], everything works happily.
> 
> I made an attempt to look at the code for both --
> heimdal/lib/gssapi/verify_mic.c:gss_verify_mic() and
> krb5/src/lib/gssapi/krb5/k5unseal.c:kg_unseal() perhaps? -- but got very
> confused. :-)
> 
> It is *always* the MIT Kerberos that fails to verify the MIC, or so it
> looks to me anyway.
> 
> Any idea what's going wrong?
> 
> [1] Nothing to do with the Kerberos on it...  We have 2 machines at
>     either end of a VPN: heimdallr and rigr.  I gathered heimdallr was
>     known as rigr by lesser mortals, so heimdallr got installed here and
>     rigr in the other office. :-)
> [2] Which is doesn't do without a little tantrum of its own...
> --
> Right now, there are scr1pt k1dd13s plotting to DDoS my network, my co-lo
> server is not responding  to pings and  the people that I IRC with may be
> involved in both.  I'm  sysadmin Graeme Mathieson and this is the longest
> day of my life.                       http://www.wossname.org.uk/~mathie/
> _______________________________________________
> Debian-kerberos mailing list
> Debian-kerberos at mekinok.com
> http://mailman.boxedpenguin.com/mailman/listinfo/debian-kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list