Problems connecting to Solaris 10 SSH from GSSAPI-keyex patchedOpenssh 4.2p1

Nicolas Williams Nicolas.Williams at sun.com
Mon Sep 26 11:44:49 EDT 2005 

On Mon, Sep 26, 2005 at 11:15:51AM -0400, Rob See wrote:
> Hi,

The folks who run this list will probably tell you to send this kind of
post to kerberos at mit.edu instead of krbdev at mit.edu.

> 	I'm having problems connecting to Solaris 10 SSH from Openssh 4.2p1 
> patched with Simon Wilkinson's gssapi-keyex patch or the Globus GSSAPI 
> patch. Openssh is compiled against kerberos 1.4.2. The connections fail 
> if I have a current kerberos ticket. The stock Openssh connects ok, but 
> the ticket doesn't get passed from one machine to another. Below are the 
> Openssh Client logs and the Solaris SSH Server logs. Does anyone have 
> any suggestions on how I might get this working  ?

See below.

> OpenSSH_4.1p1 NCSA_GSSAPI_20050526 KRB5, OpenSSL 0.9.7a Feb 19 2003
...
> debug2: kex_parse_kexinit: 
> gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
...
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: 
> gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

So GSS keyex using the Kerberos V mechanism is negotiated.

...
> debug1: Calling gss_init_sec_context
> debug1: Received KEXGSS_HOSTKEY
> debug1: Calling gss_init_sec_context
> debug1: A token was invalid
> No error
> 
> gss_init_context failed

This seems odd -- your client got a ticket, tokens were exchanged, but
there was a problem with the token sent back by the server.  It's not
likely to have been corrupted (certainly not on the wire), so it must be
something else.

> Server log:
> debug1: sshd version Sun_SSH_1.1
...
> debug1: Wait SSH2_MSG_GSSAPI_INIT
> debug1: gss_complete

The server thinks everything went fine and sent back a reply token.

> debug1: dh_gen_key: priv key bits set: 121/256
> debug1: bits set: 525/1024
> debug1: bits set: 530/1024
> debug2: kex_derive_keys
> debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> Write failed: Broken pipe

Then the client went away.

Is it possible that the client is choking on the KEXGSS_HOSTKEY message?

I think you might want to ask Simon Wilkinson.

Nico
--

More information about the Kerberos mailing list