GSSAPIAuthentication globally versus in a Match block

Frank Lenaerts frank.lenaerts at sckcen.be
Fri May 10 21:38:47 AEST 2019


Hi

I tried to get GSSAPIAuthentication working in a Match block only
(i.e. disabling it at the top level) but didn't succeed. At the top
level, I only want allow public key authentication (Password and
ChallengeResponse authentication are set to no). I'm using OpenSSH
version 7.4.

When GSSAPIAuthentication is set to yes at the top level (i.e. not
within a Match block), authentication (using the Kerberos ticket I
have) works[*]. When it is set to no (the default) at the top level
and to yes inside my Match block, it doesn't[**] work.

I started sshd in debug mode and noticed the following differences (in
both cases, the Match block matches):

[*] GSSAPIAuthentication yes at top level

debug1: userauth-request for user ... service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for ... from ... port ... ssh2 [preauth]
debug1: Got no client credentials
debug1: ssh_gssapi_k5login_exists: Checking existence of file /tmp/.k5login
Authorized to ..., krb5 principal ... (ssh_gssapi_krb5_cmdok)
debug1: do_pam_account: called
Accepted gssapi-with-mic for ... from ... port ... ssh2
debug1: monitor_child_preauth: ... has been authenticated by privileged process
debug1: monitor_read_log: child log fd closed

[**] GSSAPIAuthentication no at top level and yes in my Match block

debug1: userauth-request for user ... service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: monitor_read_log: child log fd closed

It looks like the "Postponed gssapi-with-mic" path isn't reached in
[**].

Anyone have any idea?

-- 
Kind regards

Frank Lenaerts
SCK·CEN / ICT Group
Boeretang 200
B-2400 Mol
Belgium
Tel.: +3214338723


More information about the openssh-unix-dev mailing list