problem setting up ssh-krb5 from Debian Sarge

Wes Chow wes at woahnelly.net
Fri Oct 22 16:50:28 EDT 2004 

I'm trying to get kerberized ssh going for my Debian Sarge system.
Kerberized telnet works fine.  When I try to log in with ssh:


wchow at helmsley:~/.ssh$ klist
Ticket cache: FILE:/tmp/krb5cc_p1116
Default principal: wchow at D2702.ATHENACR.COM

Valid starting     Expires            Service principal
10/22/04 15:58:24  10/23/04 01:58:24
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
10/22/04 15:58:30  10/23/04 01:58:24
host/helmsley.dev.in.athenacr.com at D2702.ATHENACR.COM
10/22/04 16:43:50  10/23/04 01:58:24
host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM


Kerberos 4 ticket cache: /tmp/tkt_1
Principal: wchow at D2702.ATHENACR.COM

  Issued              Expires             Principal
  10/22/04 15:50:20  10/22/04 23:30:20
krbtgt.D2702.ATHENACR.COM at D2702.ATHENACR.COM
wchow at helmsley:~/.ssh$ ssh helmsley 
Read from remote host helmsley: Connection reset by peer
Connection to helmsley closed.




And on the server side:

helmsley:~# sshd -d
debug1: sshd version OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5
3.6.1p2-6
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.0.13 port 32804
debug1: Client protocol version 2.0; client software version
OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5 3.6.1p2-6
debug1: match: OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5
3.6.1p2-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian_krb5
3.6.1p2-6 Debian_krb5 3.6.1p2-6
debug1: permanently_set_uid: 100/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: GSSAPI mechanism Kerberos
(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==) supported
debug1: GSSAPI mechanism Kerberos
(gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==) supported
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: using GSSAPI mechanism Kerberos
(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==)
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug1: Got no client credentials
debug1: gss_complete
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user wchow service ssh-connection method
none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "wchow"
Failed none for wchow from 192.168.0.13 port 32804 ssh2
debug1: userauth-request for user wchow service ssh-connection method
external-keyx
debug1: attempt 1 failures 1
debug1: PAM setting rhost to "helmsley.dev.in.athenacr.com"
Authorized to wchow, krb5 principal wchow at D2702.ATHENACR.COM
(krb5_kuserok)
Accepted external-keyx for wchow from 192.168.0.13 port 32804 ssh2
PAM rejected by account configuration[9]: Authentication service
cannot retrieve authentication info.
debug1: PAM establishing creds
Failed gssapi for wchow from 192.168.0.13 port 32804 ssh2
monitor_read: unsupported request: 38
debug1: Calling cleanup 0x8067710(0x0)



I don't know how to read any of this output, so some clues would be
greatly appreciated...

Thanks,
Wes

-- 
http://www.woahnelly.net/~wes/          OpenPGP key = 0xA5CA6644
fingerprint = FDE5 21D8 9D8B 386F 128F  DF52 3F52 D582 A5CA 6644

More information about the Kerberos mailing list