Package: openssh-server Version: 1:6.7p1-5+deb8u3 Severity: normal I have a server running openssh-server at the 'edge' of my kerberos realm. From here I can jump into the rest of the network. When I try to connect to it from within the realm, however, the connection fails because it attempts to remove 'gssapi-with-mic' from the auth methods list instead of 'gssapi-keyex'.
The important lines in the configuration file are as follows: # Technically, privsep can be set to anything but no UsePrivilegeSeparation sandbox GSSAPIKeyExchange yes AuthenticationMethods publickey,keyboard-interactive:pam gssapi-keyex >From the debug log on the server side: debug1: userauth-request for user eashwar service ssh-connection method gssapi-keyex [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method gssapi-keyex [preauth] debug3: mm_request_send entering: type 48 [preauth] debug3: mm_request_receive_expect entering: type 49 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style=, role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug3: mm_request_send entering: type 49 debug3: mm_request_send entering: type 46 [preauth] debug3: mm_request_receive_expect entering: type 47 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 46 Authorized to eashwar, krb5 principal eash...@example.com (krb5_kuserok) debug3: mm_answer_gss_userok: sending result 1 debug3: mm_request_send entering: type 47 debug3: auth2_update_methods_lists: updating methods list after "gssapi-with-mic" auth2_update_methods_lists: method not in AuthenticationMethods debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: Killing privsep child 5349 >From what I traced through the source code, it seems like >'mm_answer_gss_userok' in monitor.c is invoked for gssapi-with-mic and >gssapi-keyex via the 'PRIVSEP(ssh_gssapi_userok(...))' calls, but always sets >'auth_method' to gssapi-with-mic. I am working on a patch to address this by passing the auth method name to mm_answer_gss_userok through the buffer that it receives, but perhaps you have a better idea? Regards, Eashwar Ranganathan -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii dpkg 1.17.27 ii init-system-helpers 1.22 ii libc6 2.19-18+deb8u7 ii libcomerr2 1.42.12-2+b1 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libkrb5-3 1.12.1+dfsg-19+deb8u2 ii libpam-modules 1.1.8-3.1+deb8u2 ii libpam-runtime 1.1.8-3.1+deb8u2 ii libpam0g 1.1.8-3.1+deb8u2 ii libselinux1 2.3-2 ii libssl1.0.0 1.0.1t-1+deb8u6 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian13+nmu1 ii openssh-client 1:6.7p1-5+deb8u3 ii openssh-sftp-server 1:6.7p1-5+deb8u3 ii procps 2:3.3.9-9 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages openssh-server recommends: ii ncurses-term 5.9+20140913-1 ii xauth 1:1.0.9-1 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ssh-askpass <none> pn ufw <none> -- debconf information excluded