http://www.networksecurityarchive.org/html/Secure-Shell/2004-12/msg00006.html
Your trace below shows the gsissh client using gssapi-keyex as the first authentication method after the standard OpenSSH handshake that includes the "none" method.
Steve White wrote:
Hi, We have a user running Globus 4.0.6 on Mac OS 10.5 using only the client tools. This mostly works, but gsisssh insists on trying ssh first as his Mac unixaccount, and failing at that, succeeds in GSI login.But the server sees too many failed logins, and eventually bans him. Why is this happening? Why is it trying ssh at all? We tried in etc/ssh/ssh_config PasswordAuthentication no PubkeyAuthentication no Also tried GSSAPIDelegateCredentials no No effect. Because of a known Mac ssh problem had to set IdentityFile ~/.ssh/rsa otherwise get percent_expand: NULL replacement Thanks! ========== server system log =========================================== ... sshd[5984]: Did not receive identification string from <my remote IP> ... sshd[5985]: Invalid user USER_UNIX_NAME from <my remote IP> ... sshd[5985]: Failed unknown for invalid user USER_UNIX_NAME from <my remote IP> port 64805 ssh2 ... sshd[5985]: Failed none for invalid user USER_UNIX_NAME from <my remote IP> port 64805 ssh2 ... sshd[5985]: GSI user /C=DE/O=GermanGrid/OU=AIP/CN=<USER NAME> mapped to target user agdusr083 ... sshd[5985]: GSI user /C=DE/O=GermanGrid/OU=AIP/CN=<USER NAME> is authorized as target user agdusr083 ... sshd[5985]: Accepted gssapi-with-mic for agdusr083 from <my remote IP> port 64805 ssh2 ======================================================================== $ grid-proxy-init -debug -verify User Cert File: /Users/adrian/.globus/usercert.pem User Key File: /Users/adrian/.globus/userkey.pem Trusted CA Cert Dir: /Users/adrian/.globus/certificates Output File: /tmp/x509up_u501 Your identity: /C=DE/O=GermanGrid/OU=AIP/CN=Adrian Partl Enter GRID pass phrase for this identity: Creating proxy ............++++++++++++ .++++++++++++ Done Proxy Verify OK Your proxy is valid until: Sat Jun 14 04:47:36 2008 ======================================================================= $ gsissh -vv our.server.de OpenSSH_4.7p1-hpn12v18 NCSA_GSSAPI_GPT_4.2 GSI, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /Users/adrian/Apps/globus/etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to our.server.de [server.ip] port 2222. debug1: Connection established. debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /Users/adrian/.ssh/id_rsa type 1 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /Users/adrian/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6p1-hpn12v17 NCSA_GSSAPI_GPT_4.0 GSI debug1: match: OpenSSH_4.6p1-hpn12v17 NCSA_GSSAPI_GPT_4.0 GSI pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.7p1-hpn12v18 NCSA_GSSAPI_GPT_4.2 GSI debug2: fd 3 setting O_NONBLOCK debug1: Offering GSSAPI proposal: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlibdebug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED]debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Doing group exchange debug2: dh_gen_key: priv key bits set: 128/256 debug2: bits set: 534/1024 debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug1: Received GSSAPI_COMPLETE debug2: bits set: 510/1024 debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/adrian/.ssh/id_rsa (0x3037e0) debug2: key: /Users/adrian/.ssh/id_dsa (0x3080c0) debug1: Authentications that can continue: publickey,gssapi-keyex,external-keyx,gssapi-with-mic,gssapi,password debug1: Next authentication method: gssapi-keyex debug2: we sent a gssapi-keyex packet, wait for reply debug1: Authentication succeeded (gssapi-keyex). debug1: socksize 262140
smime.p7s
Description: S/MIME Cryptographic Signature
