How to generate additional debug messages for sshd gssapi failures?

[Jim Basney]

Maybe this will help with troubleshooting. It may require setting
UsePrivilegeSeparation no in sshd_config to get a useful error message.

Index: auth2-gss.c
===================================================================
RCS file: /cvs/openssh/auth2-gss.c,v
retrieving revision 1.19
diff -u -r1.19 auth2-gss.c
--- auth2-gss.c	2 Dec 2007 11:59:45 -0000	1.19
+++ auth2-gss.c	22 Sep 2009 20:17:11 -0000
@@ -278,8 +278,17 @@

 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
 		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-	else
+	else {
+		char *errstr;
+		OM_uint32 maj,min;
+
 		logit("GSSAPI MIC check failed");
+		errstr=ssh_gssapi_last_error(gssctxt,&maj,&min);
+		if (errstr) {
+		    debug("GSSAPI ERROR maj=%u, min=%u\n%s", maj, min, errstr);
+		    xfree(errstr);
+		}
+	}

 	buffer_free(&b);
 	xfree(mic.value);

John Marshall wrote:
> I'm trying to troubleshoot gssapi_with_mic authentication with OpenSSH
> 5.2p1 on FreeBSD 8.0.
> 
> If I run sshd with maximum debug "sshd -ddd" the most detail I get is:
> 
>      GSSAPI MIC check failed
> 
> That comes from line 282 in auth2-gss.c
> 
>     279         if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
>     280                 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
>     281         else
>     282                 logit("GSSAPI MIC check failed");
>     283 
> 
> I think that's as much help as I can get from sshd.  I'd like to add
> some printf's to that else clause so that I can see the reason codes
> returned by the gssapi routines.  I'm not a programmer.  Can anybody
> give me any hints as to what to put here?
> 
> Is there any chance of enhancing the error reporting at that point in a
> future release so that debug logging produces useful output?
> 
> Thank you for your help.