On 15 Jun 2006 14:07:26 +0200 Noses <[EMAIL PROTECTED]> wrote: > Watakushi no kioku ga tashika naraba, Michael B Allen <[EMAIL PROTECTED]> > wrote: > > What do you have to do to get sshd to do Kerberos on Mac OSX? > > > > The log messages are > > not very interesting. What about doing ssh -vv <server> and check its > output?
debug1: Host 'mini.foo.net' is known and matches the RSA host key. debug1: Found key in /home/miallen/.ssh/known_hosts:7 debug2: bits set: 501/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/miallen/.ssh/identity ((nil)) debug2: key: /home/miallen/.ssh/id_rsa (0x8a7a678) debug2: key: /home/miallen/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: gssapi,publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/miallen/.ssh/identity debug1: Offering public key: /home/miallen/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: gssapi,publickey,password,keyboard-interactive debug1: Trying private key: /home/miallen/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: gssapi,publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: Next authentication method: password [EMAIL PROTECTED]'s password: I stopped sshd on the mac with 'service ssh stop' and then ran it in debug mode with 'sudo sshd -D -dd'. That output is: debug1: KEX done debug1: userauth-request for user miallen service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for miallen debug3: mm_start_pam entering debug3: mm_request_send entering: type 58 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 58 debug1: Starting up PAM with username "miallen" debug3: Trying to reverse map address 192.168.2.16. debug1: PAM setting rhost to "quark.foo.net" debug2: monitor_read: 58 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for miallen from 192.168.2.16 port 33296 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for miallen from 192.168.2.16 port 33296 ssh2 debug3: mm_solaris_audit_bad_pw entering debug3: mm_request_send entering: type 45 debug3: monitor_read: checking request 45 debug3: mm_answer_bad_pw debug3: mm_request_receive entering debug1: userauth-request for user miallen service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 34 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 35 debug3: mm_request_receive entering debug3: monitor_read: checking request 34 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x305e10 debug1: trying public key file /Users/miallen/.ssh/authorized_keys debug3: secure_filename: checking '/Users/miallen/.ssh' debug3: secure_filename: checking '/Users/miallen' debug3: secure_filename: terminating check at '/Users/miallen' debug2: key not found debug1: trying public key file /Users/miallen/.ssh/authorized_keys2 debug3: mm_answer_keyallowed: key 0x305e10 is disallowed debug3: mm_request_send entering: type 35 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_solaris_audit_bad_pw entering debug3: mm_request_send entering: type 45 Failed publickey for miallen from 192.168.2.16 port 33296 ssh2 debug3: mm_solaris_audit_bad_pw entering debug3: mm_request_send entering: type 45 debug3: monitor_read: checking request 45 debug3: mm_answer_bad_pw debug3: mm_request_receive entering debug3: monitor_read: checking request 45 debug3: mm_answer_bad_pw debug3: mm_request_receive entering debug1: userauth-request for user miallen service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=miallen devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices debug3: mm_solaris_audit_bad_pw entering debug3: mm_request_send entering: type 45 Failed keyboard-interactive for miallen from 192.168.2.16 port 33296 ssh2 debug3: mm_solaris_audit_bad_pw entering debug3: mm_request_send entering: type 45 debug3: monitor_read: checking request 45 debug3: mm_answer_bad_pw debug3: mm_request_receive entering debug3: monitor_read: checking request 45 debug3: mm_answer_bad_pw debug3: mm_request_receive entering Connection closed by 192.168.2.16 Here is the eqivalent client output but to Linux server with which Kerberos works. debug1: Host 'nano.foo.net' is known and matches the RSA host key. debug1: Found key in /home/miallen/.ssh/known_hosts:10 debug2: bits set: 521/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/miallen/.ssh/identity ((nil)) debug2: key: /home/miallen/.ssh/id_rsa (0x9600678) debug2: key: /home/miallen/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentication succeeded (gssapi-with-mic). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Last login: Wed Jun 14 14:56:39 2006 from quark.foo.net So it seems the visible difference is that the "Authentications that can continue" line chooses gssapi-with-mic whereas with the Mac Mini it lists gssapi but publickey is chosen instead. Is there an option to favor one method over another? > > Any ideas? > > Yes. Did you push the "kerberize this server" button on the server you want > to log in to? No. Where is that button exactly? This is just a mini with 10.3 BTW. Mike -- Michael B Allen PHP Extension for SSO w/ Windows Group Authorization http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
