problem setting up ssh-krb5 from Debian Sarge

dkuhl dkuhl at paritysys.net
Mon Oct 25 09:48:29 EDT 2004 

	Yeah, it looks like the user account "wchow" doesn't exist on the 
remote machine, which seems odd since you said that the telnet works. 
But the line in your output:

debug1: Starting up PAM with username "wchow"
Failed none for wchow from 192.168.0.13 port 32804 ssh2

	... shows that PAM is failing this user log in.

D.


Sam Hartman wrote:
 > Your pam account stack is claiming that you are not authorized to log
 > in.
 > ________________________________________________
 > Kerberos mailing list           Kerberos at mit.edu
 > https://mailman.mit.edu/mailman/listinfo/kerberos







----------------
And on the server side:

helmsley:~# sshd -d
debug1: sshd version OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5
3.6.1p2-6
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.0.13 port 32804
debug1: Client protocol version 2.0; client software version
OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5 3.6.1p2-6
debug1: match: OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5
3.6.1p2-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian_krb5
3.6.1p2-6 Debian_krb5 3.6.1p2-6
debug1: permanently_set_uid: 100/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: GSSAPI mechanism Kerberos
(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==) supported
debug1: GSSAPI mechanism Kerberos
(gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==) supported
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: using GSSAPI mechanism Kerberos
(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==)
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug1: Got no client credentials
debug1: gss_complete
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user wchow service ssh-connection method
none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "wchow"
Failed none for wchow from 192.168.0.13 port 32804 ssh2
debug1: userauth-request for user wchow service ssh-connection method
external-keyx
debug1: attempt 1 failures 1
debug1: PAM setting rhost to "helmsley.dev.in.athenacr.com"
Authorized to wchow, krb5 principal wchow at D2702.ATHENACR.COM
(krb5_kuserok)
Accepted external-keyx for wchow from 192.168.0.13 port 32804 ssh2
PAM rejected by account configuration[9]: Authentication service
cannot retrieve authentication info.
debug1: PAM establishing creds
Failed gssapi for wchow from 192.168.0.13 port 32804 ssh2
monitor_read: unsupported request: 38
debug1: Calling cleanup 0x8067710(0x0)





David Kuhl
Parity Systems
dkuhl at paritysys.com
-----------------------

More information about the Kerberos mailing list