Hello.
Please, help. I'm trying to configure GSSAPI auth in sshd (in opensolaris
2008.11), but I get the following error:
Unspecified GSS failure. Minor code may provide more information
No error
However, I can login via GSSAPI to other (FreeBSD and Linux) hosts from my
workstation. I also can ssh from Opensolaris host to other servers using GSSAPI.
My sshd_config is the following:
Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries 6
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin no
Subsystem sftp /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
GSSAPIAuthentication yes
client log:
ubuntu:~$ ssh -p 1022 -vvv alpnote.cc.rsu.ru
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to alpnote.cc.rsu.ru [195.208.252.212] port 1022.
debug1: Connection established.
debug1: identity file /home/leoric/.ssh/identity type -1
debug1: identity file /home/leoric/.ssh/id_rsa type -1
debug1: identity file /home/leoric/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.2
debug1: no match: Sun_SSH_1.2
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-
hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1
92-cbc,aes256-cbc,rijndael-cbc at lysator dot liu dot
se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1
92-cbc,aes256-cbc,rijndael-cbc at lysator dot liu dot
se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh dot
com,hmac-ripemd160,hmac-ripemd160 at openssh dot com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh dot
com,hmac-ripemd160,hmac-ripemd160 at openssh dot com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh dot com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh dot com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,dif
fie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes25
6-ctr,aes256-cbc
debug2: kex_parse_kexinit:
aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes25
6-ctr,aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fr,fr-FR,he-IL,hu-HU,id-ID,it,it-IT,ja-JP,k
o,ko-KR,pt-BR,ru,ru-RU,sk-SK,sv,sv-SE,zh,zh-CN,zh-HK,i-default,zh-TW
debug2: kex_parse_kexinit:
ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fr,fr-FR,he-IL,hu-HU,id-ID,it,it-IT,ja-JP,k
o,ko-KR,pt-BR,ru,ru-RU,sk-SK,sv,sv-SE,zh,zh-CN,zh-HK,i-default,zh-TW
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024]]server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos:
ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fr,fr-FR,he-IL,hu-HU,id-ID,it,it-IT,ja-JP,k
o,ko-KR,pt-BR,ru,ru-RU,sk-SK,sv,sv-SE,zh,zh-CN,zh-HK,i-default,zh-TW
debug1: We proposed langtags, stoc:
ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fr,fr-FR,he-IL,hu-HU,id-ID,it,it-IT,ja-JP,k
o,ko-KR,pt-BR,ru,ru-RU,sk-SK,sv,sv-SE,zh,zh-CN,zh-HK,i-default,zh-TW
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 506/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 486/1024
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug2: set_newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user myuser service ssh-connection method none
debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
debug2: input_userauth_request: setting up authctxt for myuser
debug2: input_userauth_request: try method none
Failed none for myuser from 195.208.243.17 port 49887 ssh2
debug1: userauth-request for user myuser service ssh-connection method
gssapi-with-mic
debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } (supported)
debug1: GSS-API error while accepting security context: Unspecified GSS
failure. Minor code may provide more information
No error
debug2: Zero length GSS context error token output
Failed gssapi-with-mic for myuser from 195.208.243.17 port 49887 ssh2
debug1: userauth-request for user myuser service ssh-connection method
gssapi-with-mic
debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug1: Client offered gssapi userauth with { 1 3 5 1 5 2 } (unsupported)
debug2: No mechanism offered by the client is available
Failed gssapi-with-mic for myuser from 195.208.243.17 port 49887 ssh2
debug1: userauth-request for user myuser service ssh-connection method
gssapi-with-mic
debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug1: Client offered gssapi userauth with { 1 2 840 48018 1 2 2 }
(unsupported)
debug2: No mechanism offered by the client is available
Failed gssapi-with-mic for myuser from 195.208.243.17 port 49887 ssh2
debug1: userauth-request for user myuser service ssh-connection method
keyboard-interactive
debug1: attempt 4 initial attempt 0 failures 4 initial failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
debug3: Trying to reverse map address 195.208.243.17.
debug2: Calling pam_authenticate()
debug2: PAM echo off prompt: Password:
debug2: Nesting dispatch_run loop
--
This message posted from opensolaris.org
