Public bug reported: sshd is set up to authenticate using GSSAPI, but this never succeeds, falling back to any other configured authentication method. If all are forbidden, authentication fails without giving a useful reason.
On a local(!) system assume: user test exists, krb5 is running fine, PAM is set up to use krb5. After loging in: % ssh -l test 192.168.1.111 $ klist Ticket cache: FILE:/tmp/krb5cc_2023 Default principal: t...@test.de Valid starting Expires Service principal 11/15/10 10:22:38 11/15/10 20:22:38 krbtgt/test...@test.de renew until 11/16/10 10:22:35 Now that I have a ticket, I'd awaited to be automaticaly authenticated to log on on the very same server using ssh $ ssh 192.168.1.111 t...@192.168.1.111's password: I am asked the password! Bad. Same with "-v": $ ssh -v 192.168.1.111 OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 192.168.1.111 [192.168.1.111] port 22. debug1: Connection established. debug1: identity file /home/test/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024 debug1: identity file /home/test/.ssh/id_rsa-cert type -1 debug1: identity file /home/test/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: identity file /home/test/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4 debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.1.111' is known and matches the RSA host key. debug1: Found key in /home/test/.ssh/known_hosts:5 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied debug1: Next authentication method: publickey debug1: Offering public key: /home/test/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Offering public key: /home/test/.ssh/id_dsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: password t...@192.168.1.111's password: Easy too see: GSSAPI is tried, but fails. ProblemType: Bug DistroRelease: Ubuntu 10.10 Package: openssh-server 1:5.5p1-4ubuntu4 ProcVersionSignature: Ubuntu 2.6.35-22.35-server 2.6.35.4 Uname: Linux 2.6.35-22-server x86_64 Architecture: amd64 Date: Mon Nov 15 10:13:10 2010 InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release amd64 (20101007) ProcEnviron: LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: openssh ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug maverick -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs