This is the mail archive of the
mailing list for the Cygwin project.
Re: [ITP] heimdal (was: Cygwinports Heimdal for the distro?)
On Mar 18 22:31, Yaakov (Cygwin/X) wrote:
> On Fri, 2012-03-16 at 21:01 +0100, Corinna Vinschen wrote:
> > On Mar 16 14:34, Yaakov (Cygwin/X) wrote:
> > > On 2012-03-16 14:00, Corinna Vinschen wrote:
> > > >I just saw that you have a heimdal package in cygwinports. Do you think
> > > >this package is good enough shape for the distro? You know, it might be
> > > >a good idea to have a kerberos and gssapi enabled ssh in the distro,
> > > >eventually(*).
> > >
> > > OK, I'm just about finished with my openssl rebuild; I'll work on it
> > > early next week.
> > Thank you!
> Here it is:
> > > >(*) Needless to say that I didn't even try to build ssh against
> > > > heimdal yet. But there is a heimdal option in openssh's
> > > > configury...
> > >
> > > I tried it a while ago and it built just fine.
> > That's a good start. Hopefully it works, too. I'm not exactly a
> > Kerberos guru so I don't know what I have to test.
> A long time ago someone gave me an opportunity to test that self-built
> heimdal/krb5-enabled Cygwin openssh with their server and it worked. I
> have not tested the daemons though.
I already have a strange problem with the client. I enabled
KerberosAuthentication and GSSAPIAuthentication on my Linux server,
which has a /etc/krb5.conf file for authentication against my Windows
domain (for Samba).
Logging in with my Kerberos password is no problem, but that doesn't
test the client at all, only the server. So I tried kinit and then ssh
-K, which enables credential forwarding. IIUC that means the password I
already entered via kinit should be forwarded to the server and I don't
have to enter a password, just as when using pubkey authentication.
However, that doesn't work at all. If I run ssh -Kvvv, I see an error
message like this in the verbose output:
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure (see text)
unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10
debug2: we sent a gssapi-with-mic packet, wait for reply
I searched for the weird "unknown mech-code" message, but I only see
postings with questions, not with answers :(
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com