[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Solaris 10 delegated credentials fails sshd w/Heimdal KDC



Hello,
I don't know if this is a Heimdal problem with Solaris or just Solaris
10 in general.

I have a Heimdal KDC 0.7.2 using OpenLDAP backend 2.3.32 running on Red
Hat 4/U4. Clients are RedHat 3.0 u5/6/7/8 and 4.0 u4. They are all using
an updated sshd daemon OpenSSH4.5p1. These all work fine with logins,
and delegate credentials so that I can ssh box to box without supplying
a password.

The Solaris boxes use stock Sun sshd and gssapi/kerberos components.
>From a Solaris 10 to any Red Hat box I get the same results. I can ssh
to a Solaris box supply a password and gain access, klist lists
principal ticket,shows flags and encryption type. If I try to ssh to
another Solaris box, I get a password prompt. Also, if I ssh to a
Solaris box from any Red Hat box, I get a password prompt.

from the client:
debug1: Calling gss_init_sec_context
debug1: ssh_gssapi_init_ctx(809f0d0, sol101cts, 1, 0, 8047ae0)
debug1: Delegating GSS-API credentials
debug3: ssh_gssapi_import_name: snprintf() returned 14, expected 15
debug1: Remote: Negotiated main locale: C
debug1: Remote: Negotiated messages locale: C
debug1: Received KEXGSS_HOSTKEY
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: ssh_gssapi_init_ctx(809f0d0, sol101cts, 1, 8047ad8, 8047ae0)
debug1: Delegating GSS-API credentials
debug1: bits set: 525/1024
debug3: check_host_in_hostfile: filename /home/smitha/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /home/smitha/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'sol101cts' is known and matches the advertised RSA
hostkey.
debug1: Found key in /home/smitha/.ssh/known_hosts:2
debug2: kex_derive_keys
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0
&& !0
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug2: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: start over, passed a different list
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: Authenticating with GSS-API context from key exchange (w/ MIC)
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: ssh_gssapi_init_ctx(809f0d0, sol101cts, 0, 0, 8047aa0)
debug3: ssh_gssapi_import_name: snprintf() returned 14, expected 15
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: ssh_gssapi_init_ctx(80fb878, sol101cts, 1, 0, 8047b00)
debug1: Delegating GSS-API credentials
debug3: ssh_gssapi_import_name: snprintf() returned 14, expected 15
debug1: ssh_gssapi_init_ctx(80fb878, sol101cts, 1, 8047ae8, 8047af0)
debug1: Delegating GSS-API credentials
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method

On the server side:
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug1:
userauth-request for user smitha service ssh-connection method
gssapi-keyex
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug1:
attempt 1 initial attempt 0 failures 1 initial failures 0
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
input_userauth_request: try method gssapi-keyex
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
Mapping initiator GSS-API principal to local username
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
Mapped the initiator to: smitha
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
Starting PAM service sshd-gssapi for method gssapi-keyex
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug3:
Trying to reverse map address 10.11.99.94.
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.info] Failed
gssapi-keyex
for smitha from 10.11.99.94 port 32820 ssh2
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug1:
userauth-request for user smitha service ssh-connection method
gssapi-with-mic
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug1:
attempt 2 initial attempt 0 failures 2 initial failures 0
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
input_userauth_request: try method gssapi-with-mic
Feb 21 07:07:32 sol101cts sshd[2056]: [ID 800047 auth.debug] debug1:
Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } (supported)
Feb 21 07:07:34 sol101cts sshd[2056]: [ID 800047 auth.debug] debug1:
Received delegated GSS credentials
Feb 21 07:07:34 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
Mapping initiator GSS-API principal to local username
Feb 21 07:07:34 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
Mapped the initiator to: smitha
Feb 21 07:07:34 sol101cts sshd[2056]: [ID 800047 auth.debug] debug2:
Starting PAM service sshd-gssapi for method gssapi-with-mic
Feb 21 07:07:35 sol101cts sshd[2056]: [ID 800047 auth.notice] Failed
gssapi-with-mic for smitha from 10.11.99.94 port 32820 ssh2

It seams like Solaris is not accepting delegated credentials. I've gone
round and round looking for an answer.

Any suggestions would be appreciated.

Kent N