OpenSSH/Heimdal/MIT KDC problem/question
Sergio Gelato
Sergio.Gelato at astro.su.se
Tue Oct 26 23:23:04 EST 2004
* Robert Banz [2004-10-25 12:42:30 -0400]:
> I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's
> GSSAPI & AFS integration.
>
> A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6
> to the lastest and greatest 1.3.5. However, it seems that as part of
> the upgrade, our GSSAPI credentials passing in OpenSSH stopped working.
[...]
> I'm pretty familar with the Kerb APIs, however, not so much with the
> GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's
> going on at the Kerb level, so it's hard to tell what's going on.
There are still a few things you can do to facilitate debugging:
1. Look at your credentials cache before and after the authentication
attempt. Did you get a valid ticket for host/re.mo.te ?
2. Run sshd -ddd and ssh -vvv against each other, capturing the output
at both ends. This may help you figure out whether the problem is
client- or server-side.
3. Read the KDC's logs.
4. Capture the actual packets between the ssh client and the KDC. With
a little practice, one can read the hex dumps directly (at least the
cleartext portions; that should be enough for this purpose). Some
versions of tcpdump may have good enough Kerberos parsing support to
save you even this trouble.
Have you tried using the fully-qualified domain name of the remote host?
Your symptoms may well denote a DNS problem.
More information about the openssh-unix-dev
mailing list