Hi Sam, On Tue, Nov 30, 2010 at 10:25:57AM -0500, Sam Hartman wrote: > The 1.9 packages just made their way into experimental. > I'd expect that > I'd expect > aptitude -t experimental install libkrb5-3 libgssapi-krb5-2 > > would work and not bring any scary dependencies in. If it does look > scary, rebuild the experimental packages for squeeze.
It simply works that way, yes. > Then you need to set KRB5_TRACE in the environment to some file that > sshd can write to. Note that may be kind of tricky as I suspect sshd > sanitizes its environment. I can tell that sshd does not put that much effort into sanitizing its environment. It really is as simple as: KRB5_TRACE=/tmp/somefile /etc/init.d/ssh restart This was the easy part. I had more difficulties with tracking down the problem though. In a recent mail I said that the error message (auth.log) changed to "Wrong principal in request". This was due kdc and ssh server having different ideas about kvno. After solving this the "No such file or directory" message from the initial report is back. The trace file does contain a lot more information than the auth.log. However only success seems to be worth reporting. A typical login attempt produces the following lines: [25580] 1291716395.795091: Retrieving host/someserver.f...@realm.domain.example from WRFILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/success [25580] 1291716395.829385: Retrieving host/someserver.f...@realm.domain.example from WRFILE:/etc/krb5.keytab (vno 6, enctype des3-cbc-sha1) with result: 0/success [25580] 1291716395.829555: Decrypted AP-REQ with specified server principal host/someserver.f...@realm.domain.example: des3-cbc-sha1/D924 [25580] 1291716395.829577: AP-REQ ticket: gro...@realm.domain.example -> host/someserver.f...@realm.domain.example, session key aes256-cts/1039 So the ssh server successfully decrypts the part relayed from the tgs. Reading the source I can see that the authenticator part is only decrypted after the "AP-REQ ticket: ..." message, so we have no clue about whether this actually happens. Do you have any ideas I could pursue before debugging the code with print statements? Thanks in advance Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
