[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: incompatibility with solaris gssapi implementation?

I don't know which version of openssh you're using, but it might help  
to set the "PreferredAuthentications" option to "gssapi-with- 
mic, . . ." in ssh_config (or ~/.ssh/config).  Does your openssh  
support gssapi-with-mic, as opposed to just gssapi, as a userauth  
mechanism?  (man ssh_config).

SPNEGO is now a supported GSSAPI mechanism, but apparently not yet in  
the Solaris 10 gss implementation.  It lets you negotiate between  
NTLMv2 and Kerberos (and maybe some other, insecure things that  
shouldn't be implemented).

I don't know what configuration knobs you have for the gss  
implementation used on your client.  In theory, the Solaris 10 server  
should tell the client that it doesn't support SPNEGO as a gss  
mechanism and it should try plain Kerberos next.  That's assuming  
that it didn't try Kerberos first and then fall-back to SPNEGO as an  
alternative gss mechanism.  I'm also assuming that the gss  
negotiation/retry code on the client is correct.  (And that it's  
actually a gssapi problem as opposed to some fallout from an ssh  

On Aug 14, 2006, at 11:36 AM, Michael B Allen wrote:

> On Sat, 12 Aug 2006 20:41:15 +0200
> vadim <vadim.tarassov@swissonline.ch> wrote:
>> Hi all,
>> I am trying to ssh to solaris 10 box which runs sun's ssh with sun's
>> implementation of GSSAPI. As client I use openssh + heimdal 0.7.2.  
>> In the log
>> of the ssh daemon on solaris box I see following message:
>> "Client offered gssapi userauth with { 1 3 6 1 5 5 2 } (unsupported)"
>> At this moment all attempts to authenticate via gssapi-with-mic  
>> fail. Do you
>> know what is wrong?
> is SPNEGO. SPNEGO is a pseudo-mechanism used to
> negotiate a real mechanism (e.g. Kerberos). SPNEGO is used primarily
> for authenticating with Microsoft Windows servers. It's a little  
> strange
> that the client is even trying SPENGO because as the default mechanism
> is Kerberos. I believe one would have to explicitly specify SPNEGO  
> with
> GSSAPI client routines to provide SPNEGO behavior. Perhaps there's a
> config option that is set inappropriately.
> Mike
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu