Unable to delegate credentials from Cygwin ssh client was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"

Nogin, Aleksey anogin@hrl.com
Tue Jun 25 06:25:00 GMT 2013

Jeffrey Altman wrote:

> > I am running Heimdal's kinit (as came with MobaXterm 6.2) under
> > Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL
> > 5 and 6 boxes set up to use pam_krb to authenticate against the same
> > Windows AD.  gssapi-with-mic authentication succeeds, but credential
> > delegation does not, and I see the same "unknown mech-code 2529639054
> > for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is
> > an issue in my environment, where Kerberos-secured NFS is used to
> > provide access to home directories.
> >
> > One thing I did notice is that when I ssh into an RHEL box, afterwards
> > kinit on the client (Cygwin) side shows a ticket for the RHEL host (as
> > expected), yet it shows that the ticket lacks the "forwardable" flag,
> > which would probably explain the failure to delegate credentials. So
> > perhaps this is a problem with the SSH client on the Cygwin end ("ssh -
> > V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than
> > Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain
> > "forwardable = yes" and in contract to how it happens on Cygwin, the
> > Linux->Linux ssh that does delegate credentials correctly also does
> > obtain a forwardable ticket on the client side.
> Going back to the original posting.
> The Heimdal that is being used is MobaXTerm's kinit.
> What Heimdal is it?

"kinit --version" reports "kinit (Heimdal 1.5.2)". That said, things look exactly the same with plain Cygwin (which reports the same version of Heimdal)


> The Heimdal distribution matters because it will determine where the
> krb5.conf configuration file is going to be stored.  If you aren't sure,
> use "SysInternals Process Monitor" to trace the "kinit.exe" process and
> see what files it accesses.

The configuration is stored in /etc/krb5.conf (behavior changes depending on the contents of that(. I am using the exact same krb5.conf that works correctly on RHEL.

> When "kinit" is executed, is the "-f" parameter provided requesting a
> "forwardable" ticket granting ticket?

No, but I have "forwardable = yes" under "[libdefaults]" in krb5.conf. I can run "klist -vvv" and I see that the flags are as follows:

Server: krbtgt/REALM@REALM
Client: anogin@REALM
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless

Server: host/sshserver@REALM
Client: anogin@REALM
Ticket flags: pre-authent
Addresses: addressless

Again, the above is the same with "plain" Cygwin.

More information about the Cygwin mailing list