Victor Sudakov wrote:
> > Against what gssapi library is your ssh linked 
> 
> Heimdal 1.5.2 from the FreeBSD 10.3 base system.
> 
> > and what does ssh -vvv
> > reveal why gssapi does not proceed?
> 
> Next time a service ticket expires, I'll post it here. But don't hold
> your breath, it's probably going to be something stupid like
> 'miscellaneous failure, see text'

Dear Harald,

Below is what "ssh -vvv" reveals:

debug3: receive packet: type 51
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list 
publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1:  The context has expired
Success

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/sudakov/.ssh/id_rsa

Now if I destroy the expired ticket by "kdestroy --credential=host/techno..."
a new ticket is received and gssapi-with-mic is again successful until
the new tickets expires again.

I'm beginning to think of a cron job which would destroy hourly all
the service tickets... all except the TGT.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859

Reply via email to