OpenSSH 2.9p2+Kerberos5 on RH7.1 fails

Eric Seppanen eds at reric.net
Thu Jul 26 05:19:46 EST 2001


Problem solved.  Cause: time skew.  Kerberos doesn't work when the two
machines' clocks are off by more than some number (5?) of minutes.

The "kadmin" program can tell when this has happened.  When I tried to
run "kadmin" from the broken machine, it said:
  "kadmin: Clock skew too great in KDC reply while initializing kadmin
  interface"

Neither ssh nor sshd gives any clue what the problem is... I wonder if
it would be possible to detect and report this error on either end?
Somehow I doubt I'll be the last person to forget to make sure ntpd is
running after a reboot.

Eric

On Tue, Jul 24, 2001 at 05:32:33PM -0500, Eric Seppanen wrote:
> I've been installing OpenSSH 2.9p2 onto several RedHat Linux machines,
> after compiling in the GSSAPI/Kerberos5 patch from here:
> http://www.sxw.org.uk/computing/patches/openssh.html
> 
> I've been using ssh both to let users in via passwords and Kerberos
> tickets, and both have been working fine...
> 
> except for one irritating machine, which (for no good reason I can see)
> fails when using kerberos tickets.  (it works fine when using
> passwords.)  This is a Red Hat 7.1 machine, and the failure is:
> (the user sees:)
>   [eds at ike eds]$ ssh hulk
>   Connection closed by 208.24.105.2
> 
> (the server log reads:)
>   Jul 24 16:37:41 hulk sshd[25687]: fatal: gss_accept_context died
> 
> (if I run sshd -d I see:)
>   Connection from 208.24.105.19 port 2847
>   debug1: Client protocol version 2.0; client software version
>   OpenSSH_2.9p2
>   debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
>   Enabling compatibility mode for protocol 2.0
>   debug1: Local version string SSH-1.99-OpenSSH_2.9p2
>   debug1: Rhosts Authentication disabled, originating port not trusted.
>   debug1: list_hostkey_types: ssh-rsa,ssh-dss
>   debug1: SSH2_MSG_KEXINIT sent
>   debug1: SSH2_MSG_KEXINIT received
>   debug1: kex: client->server aes128-cbc hmac-md5 none
>   debug1: kex: server->client aes128-cbc hmac-md5 none
>   debug1: Wait SSH2_MSG_GSSAPI_INIT
>   debug1: Miscellaneous failure
>   debug1: Unknown code z 0
>   debug1: Got no client credentials
>   gss_accept_context died
>   debug1: Calling cleanup 0x8068fe0(0x0)
> 
> 
> I've built source and binary RPMS.  Anyone interested can find them at
> http://www.reric.net/linux/openssh/
> 
> Anyone have any ideas what's wrong?
> 
> Eric



More information about the openssh-unix-dev mailing list