Hello,
We are in the process of converting as many of our apps as possible to
use Kerberos V. Since we have been using SSH2 for a few years, it is
one of the items on our list.
We've downloaded and compiled version 3.0.1 under Solaris 8. We used
the --with-kerberos5 flag and things built fine.
We've added "[EMAIL PROTECTED],[EMAIL PROTECTED]" to
'AllowedAuthenications' in sshd2_config on the server side. We also
added
the host/name.domain princiapl to our K5 database (and extracted it to a
keytab) for the server we are connecting to.
When we connect, the authentication succeeds in that we obtain,
the proper service ticket which allows us to login to the server without
a password. Unfortunately, our credentials do not get forwarded. I've
included the entire debug session (from sshd2) below, but the critical
line appears to be:
debug:Ssh2AuthKerberosTgtServer/auths-kerberos-tgt.c:235/ssh_server_auth_kerberos_tgt:
krb5_rd_priv -1765328346: Incorrect net address
It appears that the server side is unable to decrypt and extract the
credentials from the packet sent by the client. I'm confident that the
credntials are okay (at least initially) on the client side because:
(A) I'm getting a service ticket for host/server when I connect
(B) I can use kerberized telnet and ftp to sucessfully establish
connections and forward the same credentials .
As I mentioned earlier, both client and server are running Solaris 8 and
I'm using MIT kerberos 5.1.2.
Can anybody give me some idea what is wrong here?
Thanks,
Mike
Full Debug Session
------------------
sshd2: SSH Secure Shell 3.0.1 (non-commercial version) on
sparc-sun-solaris2.8
debug: SshHostKeyIO/sshhostkeyio.c:220/ssh_host_key_read_keys: Host key
algorith
ms: ssh-dss
debug: Becoming server.
debug: Creating listener
debug: Listener created
debug: no udp listener created.
debug: Running event loop
debug: Sshd2/sshd2.c:1062/new_connection_callback:
new_connection_callback
debug: Sshd2/sshd2.c:1214/new_connection_callback: Wrapping stream with
ssh_serv
er_wrap...
debug: ssh_server_wrap: creating transport protocol
debug:
SshAuthMethodServer/sshauthmethods.c:118/ssh_server_authentication_initia
lize: Added "[EMAIL PROTECTED]" to usable methods.
debug:
SshAuthMethodServer/sshauthmethods.c:118/ssh_server_authentication_initia
lize: Added "[EMAIL PROTECTED]" to usable methods.
debug:
SshAuthMethodServer/sshauthmethods.c:118/ssh_server_authentication_initia
lize: Added "publickey" to usable methods.
debug:
SshAuthMethodServer/sshauthmethods.c:118/ssh_server_authentication_initia
lize: Added "password" to usable methods.
debug:
SshAuthMethodServer/sshauthmethods.c:133/ssh_server_authentication_initia
lize: Added "hostbased" to usable methods.
debug:
SshAuthMethodServer/sshauthmethods.c:133/ssh_server_authentication_initia
lize: Added "[EMAIL PROTECTED]" to usable methods.
debug: ssh_server_wrap: creating userauth protocol
debug: Ssh2Common/sshcommon.c:496/ssh_common_wrap: local ip =
152.15.14.93, loca
l port = 22
debug: Ssh2Common/sshcommon.c:498/ssh_common_wrap: remote ip =
152.15.13.15, rem
ote port = 34656
debug: SshConnection/sshconn.c:1889/ssh_conn_wrap: Wrapping...
debug: Sshd2/sshd2.c:1232/new_connection_callback: done.
debug: new_connection_callback returning
debug: Remote version: SSH-1.99-3.0.1 SSH Secure Shell (non-commercial)
debug: Major: 3 Minor: 0 Revision: 1
debug: Ssh2Transport/trcommon.c:1717/ssh_tr_negotiate: lang s to c: `',
lang c t
o s: `'
debug: Ssh2Transport/trcommon.c:1783/ssh_tr_negotiate: c_to_s: cipher
aes128-cbc
, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1786/ssh_tr_negotiate: s_to_c: cipher
aes128-cbc
, mac hmac-sha1, compression none
debug: Sshd2/sshd2.c:593/auth_policy_proc: user 'jmmosley' service
'ssh-connecti
on' client_ip '152.15.13.15' client_port '34656' completed ''
debug: Sshd2/sshd2.c:901/auth_policy_proc: output:
[EMAIL PROTECTED],kerberos-t
[EMAIL PROTECTED],publickey,password
debug:
Ssh2AuthKerberosTgtServer/auths-kerberos-tgt.c:235/ssh_server_auth_kerber
os_tgt: krb5_rd_priv -1765328346: Incorrect net address
debug: Sshd2/sshd2.c:593/auth_policy_proc: user 'jmmosley' service
'ssh-connecti
on' client_ip '152.15.13.15' client_port '34656' completed ''
debug: Sshd2/sshd2.c:901/auth_policy_proc: output:
[EMAIL PROTECTED],publickey,
password
debug: Sshd2/sshd2.c:593/auth_policy_proc: user 'jmmosley' service
'ssh-connecti
on' client_ip '152.15.13.15' client_port '34656' completed
'[EMAIL PROTECTED]'
debug: Ssh2AuthServer/sshauths.c:335/success_completion_proc:
no_more_needed=TRU
E
debug: Ssh2Common/sshcommon.c:291/ssh_common_special: Received
SSH_CROSS_STARTUP
packet from connection protocol.
debug: Ssh2Common/sshcommon.c:341/ssh_common_special: Received
SSH_CROSS_ALGORIT
HMS packet from connection protocol.
debug: Ssh2Common/sshcommon.c:259/ssh_common_special: Received
SSH_CROSS_AUTHENT
ICATED packet from connection protocol.
debug: Ssh2Common/sshcommon.c:718/ssh_common_new_channel: num_channels
now 1
debug: Ssh2ChannelSession/sshchsession.c:1069/ssh_channel_session_exec:
Allocati
ng pty.
debug: SshTtyFlags/sshttyflags.c:505/ssh_decode_tty_flags: Not a tty.
(fd = 8)
--
-------------------------------------
Mike Mosley
Systems Software Developer
College of Engineering, UNC-Charlotte
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
