GSSAPI Kerberos Differences between 5.1p1 and 5.2p1?
John Marshall
john.marshall at riverwillow.com.au
Fri Jul 17 16:57:05 EST 2009
Hello,
I'm trying to find clues on what may have changed for GSSAPI (Kerberos)
authentication between OpenSSH 5.1p1 and 5.2p1. We have been using
GSSAPI authentication for ssh for about 18 months with no problem with
the OpenSSH build that is bundled with the FreeBSD operating system.
All of those machines have OpenSSH 5.1p1. Last week I upgraded one of
the servers to FreeBSD 8.0-BETA1 (yes, I know, BETA) which includes
OpenSSH 5.2p1.
GSSAPI authentication no longer works properly for access to the OpenSSH
5.2p1 server. I think I've narrowed this down to OpenSSH 5.2p1 because
if I install the FreeBSD OpenSSH port (5.2p1) on one of our FreeBSD
7.2-RELEASE servers, I am seeing the same symptoms.
In sshd_config on the server I have:
GSSAPIAuthentication yes
In ssh_config on the client I have:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
If I run sshd with debug "-ddd" I see the following:
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 37
debug3: mm_request_receive_expect entering: type 38
debug3: mm_request_receive entering
debug3: monitor_read: checking request 37
debug3: mm_request_send entering: type 38
debug3: mm_request_receive entering
Postponed gssapi-with-mic for john from 192.0.2.123 port 57225 ssh2
debug3: mm_request_send entering: type 39
debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
debug3: monitor_read: checking request 39
debug1: Received some client credentials
debug3: mm_request_send entering: type 40
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 43
debug3: mm_request_receive_expect entering: type 44
debug3: mm_request_receive entering
debug3: monitor_read: checking request 43
debug3: mm_request_send entering: type 44
debug3: mm_request_receive entering
GSSAPI MIC check failed
On the client side (with ssh -vvv) I see:
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
After successful fallback authentication (e.g. publickey,
keyboard-interactive), I can see in my Kerberos credentials cache on the
server that a tgt was forwarded from the client. If I look in my
credentials cache on the client, I can see that the service ticket for
the server was acquired. That indicates to me that the Kerberos stuff
is working - but somehow sshd is not finding out.
Any tips on what might have changed in OpenSSH 5.2p1, instructions on
how to drive the new version, or any help on how to get further with
troubleshooting this problem, would be greatly appreciated.
Thank you.
--
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090717/8dcc9b72/attachment.bin>
More information about the openssh-unix-dev
mailing list