Package: libgssapi-krb5-2 Version: 1.8.3+dfsg-2 Severity: grave File: /usr/lib/libgssapi_krb5.so.2
My system uses kerberos to authenticate users to ssh. After upgrading a server to squeeze logging in is no longer possible (this could satisfy critical severity). Unfortunately debugging this turned out to be harder than expected, because gssapi is not very precise about what the problem really is. All I can do is post the logs. Logging in from a (lenny) client that could log in to the same system before the upgrade: $ ssh -vvv somemachine ... debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Unspecified GSS failure. Minor code may provide more information Generic error (see e-text) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method ... Of course I also turned on debugging on the server: ... Nov 25 13:43:46 someserver sshd[5661]: Set /proc/self/oom_adj to 0 Nov 25 13:43:46 someserver sshd[5661]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Nov 25 13:43:46 someserver sshd[5661]: debug1: inetd sockets after dupping: 3, 3 Nov 25 13:43:46 someserver sshd[5661]: Connection from 10.0.82.2 port 36317 Nov 25 13:43:46 someserver sshd[5661]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5 Nov 25 13:43:46 someserver sshd[5661]: debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* Nov 25 13:43:46 someserver sshd[5661]: debug1: Enabling compatibility mode for protocol 2.0 Nov 25 13:43:46 someserver sshd[5661]: debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-5+b1 Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: initializing for "root" Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: setting PAM_RHOST to "reverse.dns.of.somemachine" Nov 25 13:43:46 someserver sshd[5661]: debug1: PAM: setting PAM_TTY to "ssh" Nov 25 13:43:46 someserver sshd[5661]: Failed none for root from 10.0.82.2 port 36317 ssh2 Nov 25 13:43:46 someserver sshd[5661]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo such file or directory\n Nov 25 13:43:46 someserver sshd[5661]: debug1: Got no client credentials ... The origin of the "Unspecified GSS failure." message is src/lib/gssapi/mechglue/g_dsp_status.c which is a generic error handler. The "Got no client credentials" message originates from sshd itself gss-serv.c in ssh_gssapi_accept_ctx after finding that an error occured. Any other information needed? Do you have any ideas for debugging? Helmut -- System Information: Debian Release: squeeze/sid APT prefers squeeze-volatile APT policy: (500, 'squeeze-volatile'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libgssapi-krb5-2 depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-2 common error description library ii libk5crypto3 1.8.3+dfsg-2 MIT Kerberos runtime libraries - C ii libkeyutils1 1.4-1 Linux Key Management Utilities (li ii libkrb5-3 1.8.3+dfsg-2 MIT Kerberos runtime libraries ii libkrb5support0 1.8.3+dfsg-2 MIT Kerberos runtime libraries - S libgssapi-krb5-2 recommends no packages. Versions of packages libgssapi-krb5-2 suggests: pn krb5-doc <none> (no description available) ii krb5-user 1.8.3+dfsg-2 Basic programs to authenticate usi -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
