GSSAPI Kerberos Differences between 5.1p1 and 5.2p1?

John Marshall john.marshall at
Fri Jul 17 16:57:05 EST 2009


I'm trying to find clues on what may have changed for GSSAPI (Kerberos)
authentication between OpenSSH 5.1p1 and 5.2p1.  We have been using
GSSAPI authentication for ssh for about 18 months with no problem with
the OpenSSH build that is bundled with the FreeBSD operating system.
All of those machines have OpenSSH 5.1p1.  Last week I upgraded one of
the servers to FreeBSD 8.0-BETA1 (yes, I know, BETA) which includes
OpenSSH 5.2p1.

GSSAPI authentication no longer works properly for access to the OpenSSH
5.2p1 server.  I think I've narrowed this down to OpenSSH 5.2p1 because
if I install the FreeBSD OpenSSH port (5.2p1) on one of our FreeBSD
7.2-RELEASE servers, I am seeing the same symptoms.

In sshd_config on the server I have:

  GSSAPIAuthentication yes

In ssh_config on the client I have:

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

If I run sshd with debug "-ddd" I see the following:

  debug1: attempt 1 failures 0
  debug2: input_userauth_request: try method gssapi-with-mic
  debug3: mm_request_send entering: type 37
  debug3: mm_request_receive_expect entering: type 38
  debug3: mm_request_receive entering
  debug3: monitor_read: checking request 37
  debug3: mm_request_send entering: type 38
  debug3: mm_request_receive entering
  Postponed gssapi-with-mic for john from port 57225 ssh2
  debug3: mm_request_send entering: type 39
  debug3: mm_request_receive_expect entering: type 40
  debug3: mm_request_receive entering
  debug3: monitor_read: checking request 39
  debug1: Received some client credentials
  debug3: mm_request_send entering: type 40
  debug3: mm_request_receive entering
  debug3: mm_request_send entering: type 43
  debug3: mm_request_receive_expect entering: type 44
  debug3: mm_request_receive entering
  debug3: monitor_read: checking request 43
  debug3: mm_request_send entering: type 44
  debug3: mm_request_receive entering
  GSSAPI MIC check failed

On the client side (with ssh -vvv) I see:

  debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
  debug3: authmethod_lookup gssapi-with-mic
  debug3: remaining preferred: publickey,keyboard-interactive,password
  debug3: authmethod_is_enabled gssapi-with-mic
  debug1: Next authentication method: gssapi-with-mic
  debug2: we sent a gssapi-with-mic packet, wait for reply
  debug1: Delegating credentials
  debug1: Delegating credentials
  debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
  debug2: we did not send a packet, disable method

After successful fallback authentication (e.g. publickey,
keyboard-interactive), I can see in my Kerberos credentials cache on the
server that a tgt was forwarded from the client.  If I look in my
credentials cache on the client, I can see that the service ticket for
the server was acquired.  That indicates to me that the Kerberos stuff
is working - but somehow sshd is not finding out.

Any tips on what might have changed in OpenSSH 5.2p1, instructions on
how to drive the new version, or any help on how to get further with
troubleshooting this problem, would be greatly appreciated.

Thank you.

John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list