Re: how to debug OpenSSH-->GSSAPI-->KerberosV?

Fri, 19 Oct 2001 02:34:48 -0700 


   Hi Simon,

   thank you for your patch!

> 
> :   is there any way to debug what is going on between GSS level and
> : underlying KerberosV?
> 
> Not that I'm aware of - the GSS code for OpenSSH reports as much
> information that it can. If anyone knows of a portable way of finding
> out more, please let me know and I'll add it to the code...
    Sorry, I was wrong.. I've found something from the debug outputs
(thanks to David for the tips)..
    Could you please have a look at these outputs (please see below).. 
   
> 
> :    I can do "kinit" on all mashines, so Kerberos is working.. But for
> : some mashines, sshd reports :
> 
> I've seen similar traces from people that eventually ended up being clock
> skew issues - are the clocks on your KDC, client and server reasonably in
> sync?
   It's true.. I have seen some posting from other people with the same
debug output. They solved problem by sync clocks between mashines. 
   But our clocks are sync on all mashines, - the difference is fracture
of second.


   So here are some outputs.. Probably all the outputs are not needed,
but I copied almost all.
   So, I made 2 scenarios :

    1) I've tried to connect from mashine DENIS (OS sol8) to host
LOGHOST (OS sol7) by using OpenSSH + KerberosV - it was working by using
Kerb auth.
    2) I've tried to connect from mashine DENIS (OS sol8) to host
BEATRICE (OS sol7) by using OpenSSH + KerberosV - it wasn't working by
using Kerb auth.

    1 SCENARIO :
**************************************

   output from server side LOGHOST (sshd -d -d -d -p 24) :
------------------------------------------------------

debug1: sshd version OpenSSH_2.9p2
debug1: private host key: #0 type 0 RSA1
debug3: No RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: No RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 24 on 0.0.0.0.
Server listening on 0.0.0.0 port 24.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 10.41.65.121 port 9339
debug1: Client protocol version 2.0; client software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.9p2
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug1: Received some client credentials
debug1: gss_complete
debug1: dh_gen_key: priv key bits set: 120/256
debug1: bits set: 478/1024
debug1: bits set: 531/1024
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user slava service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for slava
debug2: input_userauth_request: try method none
Failed none for slava from 10.41.65.121 port 9339 ssh2
debug1: userauth-request for user slava service ssh-connection method
external-keyx
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method external-keyx
Accepted external-keyx for slava from 10.41.65.121 port 9339 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 32768 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request pty-req
reply 0
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug2: tty_parse_modes: SSH2 n_bytes 266
debug2: tty_parse_modes: ospeed 9600
debug2: tty_parse_modes: ispeed 9600
debug2: tty_parse_modes: 1 3
debug2: tty_parse_modes: 2 28
debug2: tty_parse_modes: 3 8
debug2: tty_parse_modes: 4 21
debug2: tty_parse_modes: 5 4
debug2: tty_parse_modes: 6 0
debug2: tty_parse_modes: 7 0
debug2: tty_parse_modes: 8 17
debug2: tty_parse_modes: 9 19
debug2: tty_parse_modes: 10 26
debug2: tty_parse_modes: 11 25
debug2: tty_parse_modes: 12 18
debug2: tty_parse_modes: 13 23
debug2: tty_parse_modes: 14 22
debug2: tty_parse_modes: 16 0
debug2: tty_parse_modes: 18 15
debug2: tty_parse_modes: 30 0
debug2: tty_parse_modes: 31 0
debug2: tty_parse_modes: 32 0
debug2: tty_parse_modes: 33 0
debug2: tty_parse_modes: 34 0
debug2: tty_parse_modes: 35 0
debug2: tty_parse_modes: 36 1
debug2: tty_parse_modes: 37 0
debug2: tty_parse_modes: 38 1
debug2: tty_parse_modes: 39 0
debug2: tty_parse_modes: 40 0
debug2: tty_parse_modes: 41 1
debug2: tty_parse_modes: 50 1
debug2: tty_parse_modes: 51 1
debug2: tty_parse_modes: 52 0
debug2: tty_parse_modes: 53 1
debug2: tty_parse_modes: 54 1
debug2: tty_parse_modes: 55 1
debug2: tty_parse_modes: 56 0
debug2: tty_parse_modes: 57 0
debug2: tty_parse_modes: 58 0
debug2: tty_parse_modes: 59 1
debug2: tty_parse_modes: 60 1
debug2: tty_parse_modes: 61 1
debug2: tty_parse_modes: 62 0
debug2: tty_parse_modes: 70 1
debug2: tty_parse_modes: 71 0
debug2: tty_parse_modes: 72 1
debug2: tty_parse_modes: 73 0
debug2: tty_parse_modes: 74 0
debug2: tty_parse_modes: 75 0
debug2: tty_parse_modes: 90 1
debug2: tty_parse_modes: 91 1
debug2: tty_parse_modes: 92 0
debug2: tty_parse_modes: 93 0
debug2: callback done
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request shell
reply 0
debug1: fd 12 setting O_NONBLOCK
debug1: fd 11 IS O_NONBLOCK
debug2: callback done
debug1: Received SIGCHLD.
debug3: tvp!=NULL kid 1 mili 100
debug1: session_by_pid: pid 13619
debug1: session_exit_message: session 0 channel 0 pid 13619
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: output open -> closed
debug1: channel 0: close_write
debug1: session_pty_cleanup: session 0 release /dev/pts/1
debug1: session_free: session 0 pid 13619
debug1: channel 0: read<=0 rfd 12 len 0
debug1: channel 0: read failed
debug1: channel 0: input open -> drain
debug1: channel 0: close_read
debug1: channel 0: input: no drain shortcut
debug1: channel 0: ibuf empty
debug1: channel 0: input drain -> closed
debug1: channel 0: send eof
debug1: channel 0: send close
debug2: channel 0: no data after CLOSE
debug1: channel 0: rcvd close
debug2: channel 0: no data after CLOSE
debug1: channel 0: is dead
debug1: channel_free: channel 0: status: The following connections are
open:
  #0 server-session (t4 r0 i8/0 o128/0 fd -1/-1)

Connection closed by remote host.
debug1: removing gssapi cred file"/tmp/krb5cc_1000_M13619"
Closing connection to 10.41.65.121
debug1: writing PRNG seed to file //.ssh/prng_seed


   

    2 SCENARIO
**************************************


   output from server side BEATRICE (sshd -d -d -d -p 24) :
------------------------------------------------------

debug1: sshd version OpenSSH_2.9p2
debug1: private host key: #0 type 0 RSA1
debug3: No RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: No RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 24 on 0.0.0.0.
Server listening on 0.0.0.0 port 24.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 10.41.65.121 port 9337
debug1: Client protocol version 2.0; client software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.9p2
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: Miscellaneous failure
debug1: Unknown code z 0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1015/2049
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1074/2049
debug2: ssh_rsa_sign: done
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user slava service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for slava
debug2: input_userauth_request: try method none
Failed none for slava from 10.41.65.121 port 9337 ssh2
debug1: userauth-request for user slava service ssh-connection method
external-keyx
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method external-keyx
debug1: No suitable client data
Failed external-keyx for slava from 10.41.65.121 port 9337 ssh2
debug1: userauth-request for user slava service ssh-connection method
gssapi
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi
debug1: Miscellaneous failure
debug1: Unknown code z 0
Failed gssapi for slava from 10.41.65.121 port 9337 ssh2


       I see that I have some failure in the 2nd case :

debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: Miscellaneous failure
debug1: Unknown code z 0
debug1: SSH2_MSG_KEXINIT sent

      And after I see that LOGHOST didn't support "gss keys" (sorry for
my stupid terminology):

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

     In the 1st senario it was :

debug2: kex_parse_kexinit:
gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss


      Could you please tell me what is wrong?! I don't have enough
knowledge about crypto schemes.. It's a kind of black magic for me ;)

     Thank you very much!

     with best regards,
     Slava Rimdenok

Reply via email to