Problem with MIT Kerberos v1.4, OpenSSH 3.9p1 and Active Directory

Sam Evans wintrmte at
Thu Feb 10 12:53:26 EST 2005


I seem to have run into a road block getting my Linux machines to 
authenticate against AD when coming in through OpenSSH.

First, let me start off my listing what my environmnet is:

Test Client:
* RHEL Linux
* MIT Kerboros v1.4
* OpenSSH v3.9p1 - Compiled using the following line:
./configure --with-tcp-wrappers --with-pam 
--with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr 

Active Directory:
* Windows 2003

Scenario 1:

If I use my local account and password, I can get into the machine OK. I 
know that OpenSSH is functioning properly.  At this point, if I do a 
'kinit' I can successfully authenticate myself against AD and obtain my 
Keberos5 ticket.

Scenario 2:

If I change my account information to require that authentication take 
place using Kerberos, then I get the following error from the ssh daemon:

debug1: Kerberos password authentication failed: ASN.1 encoding ended 

-- What I have been able to determine at this point is that if I remove 
my userid from the multitude of groups that it belongs to in AD, then I 
*can* successfully authenticate myself when I come in through OpenSSH, 
using Kerberos.

-- If I place myself back into the same groups, I cannot authenticate 
myself and get the above error.

In doing some reading, it appears as if I need to force TCP usage in the 
MIT Kerberos, which I have done.  Everything still works when I do 
'kinit' but nothing has changed in regards to OpenSSH authentication 

Anyone have any thoughts or suggestions?


More information about the Kerberos mailing list