On Tue, Sep 6, 2011 at 10:12 AM, Greg Hudson <ghud...@mit.edu> wrote: > On Tue, 2011-09-06 at 04:15 -0400, Mauricio Tavares wrote: >> Now, when I try to ssh from externalbox to the kdc, it seems that >> gssapi-with-mic isn't working: > > Usually the best way to debug auth problems with ssh is to > run /path/to/sshd -d -p XXXX on the server and ssh -p XXXX on the > client, for some alternate port number XXXX. The client doesn't usually > know much about what went wrong and displays even less. > > If your server's Kerberos library is new enough (and is MIT krb5), > setting KRB5_TRACE=/some/filename can provided a little more information > on top of the debugging output. That can also work on the client, but > is unlikely to be as useful there. >
Thanks for the suggestions! For some reason I could not get the KRB5_TRACE to work (mit kerberos 1.8.4 is what I am using; probably ancient), but if you look at the output I got below, the message I got was "Wrong principal in request". Does that mean the host principal of the client (externalbox in my example)? >From sshd -d -p 10022: Connection from 192.168.11.188 port 44630 debug1: Client protocol version 2.0; client software version OpenSSH_5.8p1 Debian-1ubuntu3 debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3 debug1: permanently_set_uid: 104/65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-ctr hmac-md5 none debug1: kex: server->client aes128-ctr hmac-md5 none debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user testuser service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "testuser" debug1: PAM: setting PAM_RHOST to "192.168.11.188" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 0 Postponed gssapi-with-mic for testuser from 192.168.11.188 port 44630 ssh2 debug1: Unspecified GSS failure. Minor code may provide more information Wrong principal in request debug1: Got no client credentials debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic debug1: attempt 2 failures 1 debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic debug1: attempt 3 failures 1 >From /var/log/auth.log Sep 6 13:11:51 kdc sshd[14429]: debug1: private host key: #0 type 1 RSA Sep 6 13:11:51 kdc sshd[14429]: debug1: read PEM private key done: type DSA Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 Sep 6 13:11:51 kdc sshd[14429]: debug1: private host key: #1 type 2 DSA Sep 6 13:11:51 kdc sshd[14429]: debug1: read PEM private key done: type ECDSA Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 Sep 6 13:11:51 kdc sshd[14429]: debug1: private host key: #2 type 3 ECDSA Sep 6 13:11:51 kdc krb5kdc[13460]: TGS_REQ (1 etypes {18}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18 ses=18}, testu...@domain.com for krbtgt/domain....@domain.com Sep 6 13:13:19 kdc sshd[14466]: debug1: sshd version OpenSSH_5.8p1 Debian-1ubuntu3 Sep 6 13:13:19 kdc sshd[14466]: debug1: read PEM private key done: type RSA Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 Sep 6 13:13:19 kdc sshd[14466]: debug1: private host key: #0 type 1 RSA Sep 6 13:13:19 kdc sshd[14466]: debug1: read PEM private key done: type DSA Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 Sep 6 13:13:19 kdc sshd[14466]: debug1: private host key: #1 type 2 DSA Sep 6 13:13:19 kdc sshd[14466]: debug1: read PEM private key done: type ECDSA Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 Sep 6 13:13:19 kdc sshd[14466]: debug1: private host key: #2 type 3 ECDSA Sep 6 13:13:20 kdc krb5kdc[13460]: TGS_REQ (1 etypes {18}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18 ses=18}, testu...@domain.com for krbtgt/domain....@domain.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos