Hello,
connection to OpenSSH is successfully while the connection to gerrit(apache
mina SSHD-CORE-0.9.0.201311081) doesn't work. I had made the same kerberos
configuration for both ssh daemons.
I get following exception that a appropriate key doesn't exists. In the
krb5.keytab file, this specific key is listed with "*host/******
(aes256-cts-hmac-sha1-96)*".
I am wondering why I get this exception, even though the key is existing in
krb5.keytab and it is working with OpenSSH.
Maybe someone run into the same issue and give me some ideas how to resolve
it. Thanks in advance!
here is the stracktrace from the thrown exception:
/GSSException: Failure unspecified at GSS-API level (Mechanism level:
*Invalid argument (400) - Cannot find key of appropriate type to decrypt AP
REP - AES256 CTS mode with HMAC SHA1-96*)
e = {org.ietf.jgss.GSSException@8822}"GSSException: Failure unspecified at
GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of
appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)"
major = 11
minor = -1
minorMessage = {java.lang.String@9019}"Invalid argument (400) - Cannot find
key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC
SHA1-96"
majorString = null
detailMessage = null
cause = {sun.security.krb5.KrbException@9020}"KrbException: Invalid argument
(400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS
mode with HMAC SHA1-96"
returnCode = 400
error = null
detailMessage = {java.lang.String@9027}"Cannot find key of appropriate type
to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96"
cause = {sun.security.krb5.KrbException@9020}"KrbException: Invalid argument
(400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS
mode with HMAC SHA1-96"
stackTrace = {java.lang.StackTraceElement[0]@9028}
suppressedExceptions =
{java.util.Collections$UnmodifiableRandomAccessList@9022} size = 0
stackTrace = {java.lang.StackTraceElement[27]@9021}
suppressedExceptions =
{java.util.Collections$UnmodifiableRandomAccessList@9022} size = 0
[0] =
{java.lang.StackTraceElement@8829}"sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)"
[1] =
{java.lang.StackTraceElement@8830}"sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)"
[2] =
{java.lang.StackTraceElement@8831}"sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)"
[3] =
{java.lang.StackTraceElement@8832}"org.apache.sshd.server.auth.gss.UserAuthGSS.doAuth(UserAuthGSS.java:148)"
[4] =
{java.lang.StackTraceElement@8833}"org.apache.sshd.server.auth.AbstractUserAuth.next(AbstractUserAuth.java:53)"
[5] =
{java.lang.StackTraceElement@8834}"org.apache.sshd.server.session.ServerSession.userAuth(ServerSession.java:456)"
[6] =
{java.lang.StackTraceElement@8835}"org.apache.sshd.server.session.ServerSession.handleMessage(ServerSession.java:212)"
[7] =
{java.lang.StackTraceElement@8836}"org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:587)"
[8] =
{java.lang.StackTraceElement@8837}"org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:253)"
[9] =
{java.lang.StackTraceElement@8838}"org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)"
[10] =
{java.lang.StackTraceElement@8839}"org.apache.sshd.common.io.mina.MinaService.messageReceived(MinaService.java:94)"
[11] =
{java.lang.StackTraceElement@8840}"org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)"
[12] =
{java.lang.StackTraceElement@8841}"org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)"
[13] =
{java.lang.StackTraceElement@8842}"org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)"
[14] =
{java.lang.StackTraceElement@8843}"org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)"
[15] =
{java.lang.StackTraceElement@8844}"org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)"
[16] =
{java.lang.StackTraceElement@8845}"org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)"
[17] =
{java.lang.StackTraceElement@8846}"org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)"
[18] =
{java.lang.StackTraceElement@8847}"org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)"
[19] =
{java.lang.StackTraceElement@8848}"org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)"
[20] =
{java.lang.StackTraceElement@8849}"org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)"
[21] =
{java.lang.StackTraceElement@8850}"org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)"
[22] =
{java.lang.StackTraceElement@8851}"org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)"
[23] =
{java.lang.StackTraceElement@8852}"org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)"
[24] =
{java.lang.StackTraceElement@8853}"java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)"
[25] =
{java.lang.StackTraceElement@8854}"java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)"
[26] =
{java.lang.StackTraceElement@8855}"java.lang.Thread.run(Thread.java:745)"/
plink verbose output with SSHD-CORE-0.9.0.201311081: (not working)
/Looking up host "*****"
Connecting to ****** port 33440
Server version: SSH-2.0-GerritCodeReview_2.9-rc1 (SSHD-CORE-0.9.0.201311081)
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.62_(Centrify_GSS_1.5)
Host name is resolved to *****
Using Kerberos authentication
Trying default credentials
Connecting Kerberos service host/*****
gss_init_sec_context: InitializeSecurityContext returns
SEC_I_CONTINUE_NEEDED:*****
Using principal *****@*****
Got host ticket host/*****@*****
Using principal *****@*****
Got host ticket host/*****@*****
Using Diffie-Hellman with standard group "group1"
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 1024 *****
Initialised AES-256 CBC client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 CBC server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as *****@*****
Userauth request for gssapi-with-mic
GSSAPI authentication rejected
Kerberos authentication failed. Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD
Using SSPI from SECUR32.DLL
Attempting GSSAPI authentication
GSSAPI authentication initialised
GSSAPI authentication - bad server response
Disconnected: No supported authentication methods available (server sent:
gssapi-with-mic,publickey)/
plink verbose output with OpenSSH: (working)
/Looking up host "******"
Connecting to ****** port 22
Server version: SSH-2.0-OpenSSH_6.0
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.62_(Centrify_GSS_1.5)
Host name is resolved to ******
Using Kerberos authentication
Trying default credentials
Connecting Kerberos service host/******
gss_init_sec_context: InitializeSecurityContext returns
SEC_I_CONTINUE_NEEDED:******
Using principal ******@******
Got host ticket host/******@******
Using principal ******@******
Got host ticket host/******@******
Doing Kerberos authenticated Diffie-Hellman group exchange
Doing Kerberos authenticated Diffie-Hellman key exchange with hash SHA-1
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as ******@******
Userauth request for gssapi-keyex
GSSAPI authentication accepted
Successful Kerberos connection
Access granted
Opened channel for session/
--
View this message in context:
http://apache-mina.10907.n7.nabble.com/Kerberos-key-not-found-but-the-key-exists-in-krb5-keytab-file-it-s-working-with-OpenSSH-but-not-with-tp43037.html
Sent from the Apache MINA User Forum mailing list archive at Nabble.com.
