[OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11

Derek Atkins warlord@MIT.EDU
Fri, 15 Apr 2005 12:38:41 -0400 

"Douglas E. Engert" <deengert@anl.gov> writes:

> There is a gssapimitm.patch for OpenSSH-3.8 that will let it
> do both if you set: "GSSAPIEnableMITMAttack yes". Its from March 2004.
>
> So you can interoperate if you update the old server, or add this
> patch as a conversion aid and live with the problem for a while.

Thanks for the pointer.  It turns out that FC3's openssh includes
this patch but does not build with it.  There's one bug in FC3's
version of the patch; I had to change one hunk to get it to apply.

In particular, I needed to add the ' sAcceptEnv,' in the following
two lines of one of the hunks:

-	sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
+	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sGssEnableMITM,

With this change the patch applied and I now have FC3 RPMs.
Unfortuately it appears not to be working properly.  It's not
acquiring any tickets on the client and it's not proceeding with the
GSSAPI negotiation.  :(

debug1: Authentications that can continue: external-keyx,gssapi,password
debug3: start over, passed a different list external-keyx,gssapi,password
debug3: preferred gssapi-with-mic,gssapi,publickey,keyboard-interactive,passworddebug3: authmethod_lookup gssapi
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi
debug1: Next authentication method: gssapi
debug2: we sent a gssapi packet, wait for reply
debug1: Authentications that can continue: external-keyx,gssapi,password
debug2: we sent a gssapi packet, wait for reply
debug1: Authentications that can continue: external-keyx,gssapi,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available