OpenSSH/Heimdal/MIT KDC problem/question

Robert Banz banz at umbc.edu
Tue Oct 26 23:53:26 EST 2004 

Sergio,

Thanks for the reply.

Upon further investigation, we have narrowed down the problem to one 
OS... IRIX.  Our OpenSSH build GSSAPI delegates and authenticates 
between Linux, Solaris & OSX just fine; however the IRIX build will only 
work against IRIX.  As IRIX is slowly becoming a dying architecture at 
our site, I don't know if I'll be investigating it further ;)  However, 
I will try compiling under IRIX's cc instead of gcc to see if it's 
related to it's compile environment.

-rob

Sergio Gelato wrote:
> * Robert Banz [2004-10-25 12:42:30 -0400]:
> 
>>I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's 
>>GSSAPI & AFS integration.
>>
>>A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 
>>to the lastest and greatest 1.3.5.  However, it seems that as part of 
>>the upgrade, our GSSAPI credentials passing in OpenSSH stopped working.
> 
> [...] 
> 
>>I'm pretty familar with the Kerb APIs, however, not so much with the 
>>GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's 
>>going on at the Kerb level, so it's hard to tell what's going on.
> 
> 
> There are still a few things you can do to facilitate debugging:
> 1. Look at your credentials cache before and after the authentication
>    attempt. Did you get a valid ticket for host/re.mo.te ?
> 2. Run sshd -ddd and ssh -vvv against each other, capturing the output
>    at both ends. This may help you figure out whether the problem is 
>    client- or server-side.
> 3. Read the KDC's logs.
> 4. Capture the actual packets between the ssh client and the KDC. With
>    a little practice, one can read the hex dumps directly (at least the
>    cleartext portions; that should be enough for this purpose). Some
>    versions of tcpdump may have good enough Kerberos parsing support to
>    save you even this trouble.
> 
> Have you tried using the fully-qualified domain name of the remote host?
> Your symptoms may well denote a DNS problem.


-- 
Robert Banz (banz at umbc.edu)
UMBC Office of Information Technology
(410) 455-3933  fax: (410) 455-1065

More information about the openssh-unix-dev mailing list