Hello, I have just installed the latest Debian release 3.0r1 for i386 and installed all the required Kerberos packages from Debian. I have also replaced the normal ssh package with the Debian's ssh-krb5 package, which it's version string actually is: "OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1".
The reason why using ssh-krb5 is that our users are being authenticated by a Windows 2000 domain controller running Kerberos. The entries in /etc/passwd and /etc/group are available but the user simply doesn't have a password as it's stored in the Windows active directory. SSHing to the Debian box from another Kerberos enabled box works fine as long as the user issued a "kinit" before using ssh. If the user didn't do any kinit before and then attemps to use ssh to login to the Debian box it will NOT work and that's the problem. I would like this to work even if the user didn't do a kinit before. Because for example a user login in using PuTTy from a Windows box won't be able to do a kinit. Here is the output of the SSH daemon when a user tryes to login without having issued a kinit before: 451: debug1: sshd version OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1 451: debug1: read PEM private key done: type RSA 451: debug1: private host key: #0 type 1 RSA 451: debug1: read PEM private key done: type DSA 451: debug1: private host key: #1 type 2 DSA 451: debug1: Bind to port 999 on 0.0.0.0. 451: Server listening on 0.0.0.0 port 999. 451: debug1: Server will not fork when running in debugging mode. 451: Connection from 192.168.23.245 port 54996 451: debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1 451: debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* 451: Enabling compatibility mode for protocol 2.0 451: debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1 452: debug1: list_hostkey_types: ssh-rsa,ssh-dss 452: debug1: SSH2_MSG_KEXINIT sent 452: debug1: SSH2_MSG_KEXINIT received 452: debug1: kex: client->server aes128-cbc hmac-md5 none 452: debug1: kex: server->client aes128-cbc hmac-md5 none 452: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received 452: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent 452: debug1: dh_gen_key: priv key bits set: 114/256 452: debug1: bits set: 1640/3191 452: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT 452: debug1: bits set: 1569/3191 452: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent 452: debug1: kex_derive_keys 452: debug1: newkeys: mode 1 452: debug1: SSH2_MSG_NEWKEYS sent 452: debug1: waiting for SSH2_MSG_NEWKEYS 452: debug1: newkeys: mode 0 452: debug1: SSH2_MSG_NEWKEYS received 452: debug1: KEX done 452: debug1: userauth-request for user username service ssh-connection method none 452: debug1: attempt 0 failures 0 451: debug1: Starting up PAM with username "username" 451: debug1: PAM setting rhost to "hostname.domain.tld" 451: Failed none for username from 192.168.23.245 port 54996 ssh2 452: Failed none for username from 192.168.23.245 port 54996 ssh2 452: debug1: userauth-request for user username service ssh-connection method external-keyx 452: debug1: attempt 1 failures 1 451: debug1: No suitable client data 451: Failed gssapi for username from 192.168.23.245 port 54996 ssh2 452: Failed external-keyx for username from 192.168.23.245 port 54996 ssh2 452: debug1: userauth-request for user username service ssh-connection method gssapi 452: debug1: attempt 2 failures 2 452: Postponed gssapi for username from 192.168.23.245 port 54996 ssh2 452: debug1: userauth-request for user username service ssh-connection method keyboard-interactive 452: debug1: attempt 3 failures 2 452: debug1: keyboard-interactive devs 452: debug1: auth2_challenge: user=username devs= 452: debug1: kbdint_alloc: devices '' 452: Failed keyboard-interactive for username from 192.168.23.245 port 54996 ssh2 452: debug1: userauth-request for user username service ssh-connection method password 452: debug1: attempt 4 failures 3 451: debug1: PAM Password authentication for "username" failed[7]: Authentication failure 451: Failed password for username from 192.168.23.245 port 54996 ssh2 452: Failed password for username from 192.168.23.245 port 54996 ssh2 452: debug1: userauth-request for user username service ssh-connection method password 452: debug1: attempt 5 failures 4 451: debug1: PAM Password authentication for "username" failed[7]: Authentication failure 451: Failed password for username from 192.168.23.245 port 54996 ssh2 452: Failed password for username from 192.168.23.245 port 54996 ssh2 452: debug1: userauth-request for user username service ssh-connection method password 452: debug1: attempt 6 failures 5 451: debug1: PAM Password authentication for "username" failed[11]: Have exhasted maximum number of retries for service. 451: Failed password for username from 192.168.23.245 port 54996 ssh2 452: Failed password for username from 192.168.23.245 port 54996 ssh2 452: Connection closed by 192.168.23.245 452: debug1: Calling cleanup 0x806ee3c(0x0) 451: debug1: Calling cleanup 0x8054b88(0x0) 451: debug1: Calling cleanup 0x806ee3c(0x0) Does someone have any idea ? Or can someone help please ? Many thanks !! Regards ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
