Am 21.11.2010 19:46, schrieb Brian Candler: > On Sat, Nov 20, 2010 at 10:45:31PM +0100, Thomas Schweikle wrote: >> Something about no GSSAPI environment. I'll post the whole thing >> Tomorrow --- I'll need access to the systems. > > Another trick is to run another instance of sshd, on another port, in debug > mode: e.g. > > # sshd -p 99 -d
>From ub0001 to kvm-test (10.04.1 to 10.04.1): !debug1: Unspecified GSS failure. ! Minor code may provide more information !Key table entry not found and on the client side: !debug1: Authentications that can continue: ! publickey,gssapi-keyex,gssapi-with-mic,password !debug1: Next authentication method: gssapi-keyex !debug1: No valid Key exchange context But: !...@kvm-test:~$ klist -k !Keytab name: WRFILE:/etc/krb5.keytab !KVNO Principal !--------------------------------------------------------------------- ! 1 host/kvm-t...@local ! 1 host/kvm-t...@local ! 1 host/kvm-t...@local ! 1 host/kvm-t...@local and !ub0001:~% klist -k !Keytab name: WRFILE:/etc/krb5.keytab !KVNO Principal !--------------------------------------------------------------------- ! 2 host/ub0...@local ! 2 host/ub0...@local ! 2 host/ub0...@local ! 2 host/ub0...@local ssh asks for password :-( Now from auth to kvm-test (10.10 to 10.04.1): !debug1: Unspecified GSS failure. ! Minor code may provide more information !Key table entry not found and on the client side: !debug1: Authentications that can continue: ! publickey,gssapi-keyex,gssapi-with-mic,password !debug1: Next authentication method: gssapi-keyex !debug1: No valid Key exchange context But: !r...@kvm-test:~# klist -k !Keytab name: WRFILE:/etc/krb5.keytab !KVNO Principal !-------------------------------------------------------------------- ! 1 host/kvm-t...@local ! 1 host/kvm-t...@local ! 1 host/kvm-t...@local ! 1 host/kvm-t...@local and !...@auth:~$ klist -k !Keytab name: WRFILE:/etc/krb5.keytab !KVNO Principal !-------------------------------------------------------------------- ! 1 host/a...@local ! 1 host/a...@local ! 1 host/a...@local ! 1 host/a...@local Now from ub0001 to auth (10.04.1 to 10.10): No password prompt! logged in! This with: !ub0001:~% klist -k !Keytab name: WRFILE:/etc/krb5.keytab !KVNO Principal !-------------------------------------------------------------------- ! 2 host/ub0...@local ! 2 host/ub0...@local ! 2 host/ub0...@local ! 2 host/ub0...@local and: !r...@auth:~# klist -k !Keytab name: WRFILE:/etc/krb5.keytab !KVNO Principal !-------------------------------------------------------------------- ! 1 host/a...@local ! 1 host/a...@local ! 1 host/a...@local ! 1 host/a...@local Obvioulsy 10.10 to 10.10 works too. > Then when you ssh -v -p 99 <user>@<hostname> you will also get debug output > from the server side. > > You need 'GSSAPIAuthentication yes' in /etc/ssh/sshd_config at the server > side, but presumably you have that as some of the combinations do work. > (Not 'KerberosAuthentication yes' - that just does password authentication > with the KDC as the password oracle) AFAIC this is set. On all machines I have: /etc/ssh/sshd_config: !# GSSAPI options !GSSAPIAuthentication yes !GSSAPICleanupCredentials yes !GSSAPIKeyExchange yes /etc/ssh/ssh_config: !Host * ! SendEnv LANG LC_* ! HashKnownHosts yes ! GSSAPIAuthentication yes ! GSSAPIDelegateCredentials yes ! GSSAPIKeyExchange yes -- Thomas ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
