[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSH2 and Heimdal

To: heimdal-discuss@sics.se
Subject: SSH2 and Heimdal
From: Sean Brown <sblinux@shaw.ca>
Date: Sat, 13 Nov 2004 19:15:39 -0700
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.7

I am trying to setup kerberos for my network here, and am hitting something of 
a barrier. Currently I have:

Debian Testing: heimdal-kerberos 0.6
			ssh-krb5 3.8.1p1-5

OpenBSD 3.6: ssh 3.9

Debian is running the kdc, kpasswdd and kadmind, i have init'd the realm 
UNIX.SUBATOMIC.LOCAL and it is the default realm for these systems. kinit 
works fine for both, they can both get tickets.

When I ssh from a user that is locally logged on to the debian machine, it 
goes through fine, sshd -d shows it accepts the kerberos auth. However, when 
i ssh from the OpenBSD machine into the Debian one, its prompts me for a 
password. Now there are 2 errors going on, one is a PAM auth falure, I have 
no idea why it failes for the local user too, the second is that 
GSSAPI-with-mic works for the local user, but not a remote one, it dies with  

debug1: Received some client credentials
GSSAPI MIC check failed

If anyone can give me any pointers, this is my first time setting something up 
like this. The telnetd supplied with heimdal works just fine.

sshd -d shows this, after a sucessful login by supplying a password:

debug1: PAM: initializing for "sbrown"
debug1: PAM: setting PAM_RHOST to "messenia.unix.subatomic.local"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for sbrown from 192.168.1.11 port 24355 ssh2
debug1: userauth-request for user sbrown service ssh-connection method 
gssapi-with-mic
debug1: attempt 1 failures 1
Postponed gssapi-with-mic for sbrown from 192.168.1.11 port 24355 ssh2
debug1: Received some client credentials
GSSAPI MIC check failed
Failed gssapi-with-mic for sbrown from 192.168.1.11 port 24355 ssh2
debug1: userauth-request for user sbrown service ssh-connection method 
keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=sbrown devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for sbrown from 192.168.1.11 port 24355 ssh2
Postponed keyboard-interactive/pam for sbrown from 192.168.1.11 port 24355 
ssh2
Accepted keyboard-interactive/pam for sbrown from 192.168.1.11 port 24355 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug1: Ignoring unsupported tty mode opcode 11 (0xb)
debug1: Ignoring unsupported tty mode opcode 17 (0x11)
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug1: PAM: setting PAM_TTY to "/dev/pts/2"
debug1: PAM: establishing credentials
debug1: Setting controlling tty using TIOCSCTTY.

Prev by Date: Re: DB corruption(?) causing "add" failures
Next by Date: Re: MIT & Heimdal playing together?
Prev by thread: Re: DB corruption(?) causing "add" failures
Next by thread: Re: MIT & Heimdal playing together?
Index(es):
- Date
- Thread