intermittent problems obtaining shell with gssapi-with-mic

Phil Pennock phil.pennock at
Fri Jul 29 10:01:34 EST 2011

On 2011-07-28 at 17:35 +0100, Jonathan Underwood wrote:
> I am seeing a rather strange issue with openssh-5.3p1 (both client and
> server) under scientific linux 6. The systems in question are set up
> to authenticate against a Kerberos server. ssh'ing between machines
> works fine 99% of the time with the gssapi-with-mic method. But on
> occasion an ssh session will fail to spawn a sheel for the user after
> authentication. An example -vvv output in this situation is below:

> At this point the session hangs seemingly forever and a command prompt
> never appears. When I see this issue, it isn't resolved by restarting
> the sshd server, and it continues to be an issue if I kill the session
> and start again. However, if I then do a
> ssh -o GSSAPIAuthentication=no callista
> I enter the password and log in successfully, as expected.
> Subsequently if I disconnect, and then retry without
> GSSAPIAuthentication=no everything is fine again.
> I am having a hard time with debugging this any further, any advice
> would be happily received.

If your home directory NFS mounted, with Kerberised authentication
against the NFS server?

If so, then when things fail, your credentials on the remote machine
have expired and /home/$you is not mounted, and logging in with a
password supplied to the remote site is getting /home/$you mounted.

Try instead:
  ssh -o GSSAPIDelegateCredentials=yes callista

If that works, then since you're willing to supply your password to the
remote side, you presumably trust it enough to delegate a Kerberos
TGT to it.  Add GSSAPIDelegateCredentials=yes to the ~/.ssh/config entry
for this host.


More information about the openssh-unix-dev mailing list