OpenSSH/Heimdal/MIT KDC problem/question

Sergio Gelato Sergio.Gelato at astro.su.se
Tue Oct 26 23:23:04 EST 2004


* Robert Banz [2004-10-25 12:42:30 -0400]:
> I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's 
> GSSAPI & AFS integration.
> 
> A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 
> to the lastest and greatest 1.3.5.  However, it seems that as part of 
> the upgrade, our GSSAPI credentials passing in OpenSSH stopped working.
[...] 
> I'm pretty familar with the Kerb APIs, however, not so much with the 
> GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's 
> going on at the Kerb level, so it's hard to tell what's going on.

There are still a few things you can do to facilitate debugging:
1. Look at your credentials cache before and after the authentication
   attempt. Did you get a valid ticket for host/re.mo.te ?
2. Run sshd -ddd and ssh -vvv against each other, capturing the output
   at both ends. This may help you figure out whether the problem is 
   client- or server-side.
3. Read the KDC's logs.
4. Capture the actual packets between the ssh client and the KDC. With
   a little practice, one can read the hex dumps directly (at least the
   cleartext portions; that should be enough for this purpose). Some
   versions of tcpdump may have good enough Kerberos parsing support to
   save you even this trouble.

Have you tried using the fully-qualified domain name of the remote host?
Your symptoms may well denote a DNS problem.




More information about the openssh-unix-dev mailing list