Jim, I think I just figured out the difference.
Many of our users have unix accounts on the resource, and can log in using their keys. When they log in, their ssh login succeeds, and so doesn't appear in the logs. Those users who don't have such accounts do appear in the logs. Pardon me! On 13.06.08, Steve White wrote: > Jim, > > The behaviour of this particular user's gsissh is quite different from > other users. > > Other users' gsissh does not first try logging in via ssh as their unix > account. > > See below, where I listed the server system log. Other users just get > two lines there, showing them logging in via GSI. > > Cheers! > > On 13.06.08, Jim Basney wrote: > > It is standard behavior for the OpenSSH client to try the "none" > > authentication method before other methods such as GSSAPI. This is how > > the client determines what authentication methods the server supports > > according to the standard SSH protocol. See: > > > > http://www.networksecurityarchive.org/html/Secure-Shell/2004-12/msg00006.html > > > > Your trace below shows the gsissh client using gssapi-keyex as the first > > authentication method after the standard OpenSSH handshake that includes > > the "none" method. > > > > Steve White wrote: > > >Hi, > > > > > >We have a user running > > > Globus 4.0.6 on Mac OS 10.5 > > >using only the client tools. > > > > > >This mostly works, but gsisssh insists on trying ssh first as his Mac unix > > >account, and failing at that, succeeds in GSI login. > > > > > >But the server sees too many failed logins, and eventually bans him. > > > > > >Why is this happening? Why is it trying ssh at all? > > > > > > > > >We tried in etc/ssh/ssh_config > > > PasswordAuthentication no > > > PubkeyAuthentication no > > >Also tried > > > GSSAPIDelegateCredentials no > > >No effect. > > > > > >Because of a known Mac ssh problem had to set > > > IdentityFile ~/.ssh/rsa > > >otherwise get > > > percent_expand: NULL replacement > > > > > >Thanks! > > > > > >========== server system log =========================================== > > >... sshd[5984]: Did not receive identification string from <my remote IP> > > >... sshd[5985]: Invalid user USER_UNIX_NAME from <my remote IP> > > >... sshd[5985]: Failed unknown for invalid user USER_UNIX_NAME from <my > > >remote IP> port 64805 ssh2 > > >... sshd[5985]: Failed none for invalid user USER_UNIX_NAME from <my > > >remote IP> port 64805 ssh2 > > >... sshd[5985]: GSI user /C=DE/O=GermanGrid/OU=AIP/CN=<USER NAME> mapped > > >to target user agdusr083 > > >... sshd[5985]: GSI user /C=DE/O=GermanGrid/OU=AIP/CN=<USER NAME> is > > >authorized as target user agdusr083 > > >... sshd[5985]: Accepted gssapi-with-mic for agdusr083 from <my remote IP> > > >port 64805 ssh2 > > >======================================================================== > > >$ grid-proxy-init -debug -verify > > > > > >User Cert File: /Users/adrian/.globus/usercert.pem > > >User Key File: /Users/adrian/.globus/userkey.pem > > > > > >Trusted CA Cert Dir: /Users/adrian/.globus/certificates > > > > > >Output File: /tmp/x509up_u501 > > >Your identity: /C=DE/O=GermanGrid/OU=AIP/CN=Adrian Partl > > >Enter GRID pass phrase for this identity: > > >Creating proxy ............++++++++++++ > > >.++++++++++++ > > > Done > > >Proxy Verify OK > > >Your proxy is valid until: Sat Jun 14 04:47:36 2008 > > > > > >======================================================================= > > >$ gsissh -vv our.server.de > > >OpenSSH_4.7p1-hpn12v18 NCSA_GSSAPI_GPT_4.2 GSI, OpenSSL 0.9.7d 17 Mar 2004 > > >debug1: Reading configuration data > > >/Users/adrian/Apps/globus/etc/ssh/ssh_config > > >debug1: Applying options for * > > >debug2: ssh_connect: needpriv 0 > > >debug1: Connecting to our.server.de [server.ip] port 2222. > > >debug1: Connection established. > > >debug2: key_type_from_name: unknown key type '-----BEGIN' > > >debug2: key_type_from_name: unknown key type '-----END' > > >debug1: identity file /Users/adrian/.ssh/id_rsa type 1 > > >debug2: key_type_from_name: unknown key type '-----BEGIN' > > >debug2: key_type_from_name: unknown key type '-----END' > > >debug1: identity file /Users/adrian/.ssh/id_dsa type 2 > > >debug1: Remote protocol version 2.0, remote software version > > >OpenSSH_4.6p1-hpn12v17 NCSA_GSSAPI_GPT_4.0 GSI > > >debug1: match: OpenSSH_4.6p1-hpn12v17 NCSA_GSSAPI_GPT_4.0 GSI pat OpenSSH* > > >debug1: Enabling compatibility mode for protocol 2.0 > > >debug1: Local version string SSH-2.0-OpenSSH_4.7p1-hpn12v18 > > >NCSA_GSSAPI_GPT_4.2 GSI > > >debug2: fd 3 setting O_NONBLOCK > > >debug1: Offering GSSAPI proposal: > > >gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw== > > >debug1: SSH2_MSG_KEXINIT sent > > >debug1: SSH2_MSG_KEXINIT received > > >debug2: kex_parse_kexinit: > > >gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > >debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null > > >debug2: kex_parse_kexinit: > > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > >debug2: kex_parse_kexinit: > > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > >debug2: kex_parse_kexinit: > > >hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL > > >PROTECTED],hmac-sha1-96,hmac-md5-96 > > >debug2: kex_parse_kexinit: > > >hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL > > >PROTECTED],hmac-sha1-96,hmac-md5-96 > > >debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib > > >debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib > > >debug2: kex_parse_kexinit: > > >debug2: kex_parse_kexinit: > > >debug2: kex_parse_kexinit: first_kex_follows 0 > > >debug2: kex_parse_kexinit: reserved 0 > > >debug2: kex_parse_kexinit: > > >gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > >debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > >debug2: kex_parse_kexinit: > > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > >debug2: kex_parse_kexinit: > > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > >debug2: kex_parse_kexinit: > > >hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL > > >PROTECTED],hmac-sha1-96,hmac-md5-96 > > >debug2: kex_parse_kexinit: > > >hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL > > >PROTECTED],hmac-sha1-96,hmac-md5-96 > > >debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] > > >debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] > > >debug2: kex_parse_kexinit: > > >debug2: kex_parse_kexinit: > > >debug2: kex_parse_kexinit: first_kex_follows 0 > > >debug2: kex_parse_kexinit: reserved 0 > > >debug2: mac_setup: found hmac-md5 > > >debug1: kex: server->client aes128-cbc hmac-md5 none > > >debug2: mac_setup: found hmac-md5 > > >debug1: kex: client->server aes128-cbc hmac-md5 none > > >debug1: Doing group exchange > > > > > >debug2: dh_gen_key: priv key bits set: 128/256 > > >debug2: bits set: 534/1024 > > >debug1: Calling gss_init_sec_context > > >debug1: Delegating credentials > > >debug1: Received GSSAPI_CONTINUE > > >debug1: Calling gss_init_sec_context > > >debug1: Delegating credentials > > >debug1: Received GSSAPI_CONTINUE > > >debug1: Calling gss_init_sec_context > > >debug1: Delegating credentials > > >debug1: Received GSSAPI_CONTINUE > > >debug1: Calling gss_init_sec_context > > >debug1: Delegating credentials > > >debug1: Received GSSAPI_COMPLETE > > >debug2: bits set: 510/1024 > > >debug2: kex_derive_keys > > >debug2: set_newkeys: mode 1 > > >debug1: SSH2_MSG_NEWKEYS sent > > >debug1: expecting SSH2_MSG_NEWKEYS > > >debug2: set_newkeys: mode 0 > > >debug1: SSH2_MSG_NEWKEYS received > > >debug1: SSH2_MSG_SERVICE_REQUEST sent > > >debug2: service_accept: ssh-userauth > > >debug1: SSH2_MSG_SERVICE_ACCEPT received > > >debug2: key: /Users/adrian/.ssh/id_rsa (0x3037e0) > > >debug2: key: /Users/adrian/.ssh/id_dsa (0x3080c0) > > >debug1: Authentications that can continue: > > >publickey,gssapi-keyex,external-keyx,gssapi-with-mic,gssapi,password > > >debug1: Next authentication method: gssapi-keyex > > >debug2: we sent a gssapi-keyex packet, wait for reply > > >debug1: Authentication succeeded (gssapi-keyex). > > >debug1: socksize 262140 > > > > > > > -- > | - - - - - - - - - - - - - - - - - - - - - - - - - > | Steve White +49(331)7499-202 > | e-Science / AstroGrid-D Zi. 35 Bg. 20 > | - - - - - - - - - - - - - - - - - - - - - - - - - > | Astrophysikalisches Institut Potsdam (AIP) > | An der Sternwarte 16, D-14482 Potsdam > | > | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz > | > | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 > | - - - - - - - - - - - - - - - - - - - - - - - - - > -- | - - - - - - - - - - - - - - - - - - - - - - - - - | Steve White +49(331)7499-202 | e-Science / AstroGrid-D Zi. 35 Bg. 20 | - - - - - - - - - - - - - - - - - - - - - - - - - | Astrophysikalisches Institut Potsdam (AIP) | An der Sternwarte 16, D-14482 Potsdam | | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz | | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 | - - - - - - - - - - - - - - - - - - - - - - - - -
