AFS/Kerberos authentication problems on IRIX 6.5.15

David Steiner david.r.steiner at Dartmouth.EDU
Sat May 4 06:50:02 EST 2002 

With a little help, I managed to get ssh to compile. (original post 
05.02.02) Now, I can login using an account that is local to the 
target machine but logins with  AFS accounts fail.

The details:
IRIX 6.5.15
ssh 3.1.p1
gcc 3.0.1
ssl-0.9.6c
zlib-1.1.4.

I am configuring with:

env CC=gcc CFLAGS=-g 
LDFLAGS=-Wl,-rpath,/usr/local/krb4/lib,-rpath,/usr/local/ssl/lib 
./configure --prefix=/usr/etc/ssh --with-afs=/usr/afsws 
--with-kerberos4=/usr/local/krb4 --sysconfdir=/etc/ssh 
--with-pid-dir=/var/run --with-ipv4-default 
--with-default-path=/usr/bin:/bin:/usr/bsd:/usr/sbin:/sbin:/usr/afsws/bin:/usr/local/bin

I also had to remove the first occurrence of '-ldes' from the LIBS in 
the makefile.

When trying to login with an AFS account the user sees "Permission denied"

Running 'sshd -d' on the server shows that the Kerberos 
authentication fails with "Principal unknown" (see debug output 
below). I have also attached my sshd_config file.

Any help would be greatly appreciated. TIA

=====Debug output (user names and IPs have been sanitized)=====

debug1: userauth-request for user user1 service ssh-connection method
	none
	debug1: attempt 0 failures 0
	Failed none for user1 from 192.xx.xx.xx port 49297 ssh2
	debug1: userauth-request for user user1 service ssh-connection method
	keyboard-interactive
	debug1: attempt 1 failures 1
	debug1: keyboard-interactive devs
	debug1: auth2_challenge: user=user1 devs=
	debug1: kbdint_alloc: devices ''
	Failed keyboard-interactive for user1 from 192.xx.xx.xx port 49297
	ssh2
	debug1: userauth-request for user user1 service ssh-connection method
	password
	debug1: attempt 2 failures 2
	kerberos-iv/udp unknown service, using default port 750
	debug1: Kerberos v4 password authentication for user1 failed:
	Principal unknown (kerberos)
	debug1: krb4_cleanup_proc called
	Failed password for user1 from 192.xx.xx.xx port 49297 ssh2

======sshd_config=========

	#       $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

	# This is the sshd server system-wide configuration file.  See sshd(8)
	# for more information.

	# This sshd was compiled with 
PATH=/usr/bin:/bin:/usr/bsd:/usr/sbin:/sbin:/usr/afsws/bin:/usr/local/bin

	# The strategy used for options in the default sshd_config shipped with
	# OpenSSH is to specify options with their default value where
	# possible, but leave them commented.  Uncommented options change a
	# default value.

	Port 22
	Protocol 2,1
	ListenAddress 0.0.0.0
	#ListenAddress ::

	# HostKey for protocol version 1
	HostKey /etc/ssh/ssh_host_key
	# HostKeys for protocol version 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_dsa_key

	# Lifetime and size of ephemeral version 1 server key
	KeyRegenerationInterval 3600
	ServerKeyBits 768

	# Logging
	#obsoletes QuietMode and FascistLogging
	SyslogFacility AUTH
	LogLevel INFO

	# Authentication:

	LoginGraceTime 600
	PermitRootLogin no
	StrictModes yes

	RSAAuthentication yes
	PubkeyAuthentication yes
	AuthorizedKeysFile      .ssh/authorized_keys

	# rhosts authentication should not be used
	RhostsAuthentication no
	# Don't read the user's ~/.rhosts and ~/.shosts files
	IgnoreRhosts yes
	# For this to work you will also need host keys in 
	/etc/ssh/ssh_known_hosts
	RhostsRSAAuthentication yes
	# similar for protocol version 2
	HostbasedAuthentication no
	# Change to yes if you don't trust ~/.ssh/known_hosts for
	# RhostsRSAAuthentication and HostbasedAuthentication
	IgnoreUserKnownHosts no

	# To disable tunneled clear text passwords, change to no here!
	PasswordAuthentication yes
	PermitEmptyPasswords no

	# Change to no to disable s/key passwords
	#ChallengeResponseAuthentication yes

	# Kerberos options
	# KerberosAuthentication automatically enabled if keyfile exists
	KerberosAuthentication yes
	KerberosOrLocalPasswd no
	KerberosTicketCleanup yes

	# AFSTokenPassing automatically enabled if k_hasafs() is true
	AFSTokenPassing yes

	# Kerberos TGT Passing only works with the AFS kaserver
	KerberosTgtPassing yes

	# Set this to 'yes' to enable PAM keyboard-interactive authentication
	# Warning: enabling this may bypass the setting of 
'PasswordAuthentication'
	#PAMAuthenticationViaKbdInt yes

	X11Forwarding no
	X11DisplayOffset 10
	X11UseLocalhost yes
	PrintMotd yes
	PrintLastLog yes
	KeepAlive yes
	UseLogin no

	MaxStartups 10
	# no default banner path
	#Banner /some/path
	VerifyReverseMapping no

	# override default of no subsystems
	Subsystem       sftp    /usr/ssh/libexec/sftp-server
-- 
David R. Steiner                               david.r.steiner at dartmouth.edu
UNIX System Manager                            Phone:  603.646.3127
Dartmouth College                              Fax:     603.646.1041

More information about the openssh-unix-dev mailing list