How to get sshd w/ Kerberos on Mac OSX working

Michael B Allen mba2000 at ioplex.com
Thu Jun 15 23:03:05 EDT 2006 

On 15 Jun 2006 14:07:26 +0200
Noses <noses.nospam at noses.com> wrote:

> Watakushi no kioku ga tashika naraba, Michael B Allen <mba2000 at ioplex.com> wrote:
> > What do you have to do to get sshd to do Kerberos on Mac OSX?
> > 
> > The log messages are
> 
> not very interesting. What about doing ssh -vv <server> and check its
> output?

debug1: Host 'mini.foo.net' is known and matches the RSA host key.
debug1: Found key in /home/miallen/.ssh/known_hosts:7
debug2: bits set: 501/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/miallen/.ssh/identity ((nil))
debug2: key: /home/miallen/.ssh/id_rsa (0x8a7a678)
debug2: key: /home/miallen/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: gssapi,publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/miallen/.ssh/identity
debug1: Offering public key: /home/miallen/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: gssapi,publickey,password,keyboard-interactive
debug1: Trying private key: /home/miallen/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: gssapi,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
miallen at mini.foo.net's password: 

I stopped sshd on the mac with 'service ssh stop' and then ran it in
debug mode with 'sudo sshd -D -dd'. That output is:

debug1: KEX done
debug1: userauth-request for user miallen service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for miallen
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 58
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 58
debug1: Starting up PAM with username "miallen"
debug3: Trying to reverse map address 192.168.2.16.
debug1: PAM setting rhost to "quark.foo.net"
debug2: monitor_read: 58 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for miallen from 192.168.2.16 port 33296 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed none for miallen from 192.168.2.16 port 33296 ssh2
debug3: mm_solaris_audit_bad_pw entering
debug3: mm_request_send entering: type 45
debug3: monitor_read: checking request 45
debug3: mm_answer_bad_pw
debug3: mm_request_receive entering
debug1: userauth-request for user miallen service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 34
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 35
debug3: mm_request_receive entering
debug3: monitor_read: checking request 34
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x305e10
debug1: trying public key file /Users/miallen/.ssh/authorized_keys
debug3: secure_filename: checking '/Users/miallen/.ssh'
debug3: secure_filename: checking '/Users/miallen'
debug3: secure_filename: terminating check at '/Users/miallen'
debug2: key not found
debug1: trying public key file /Users/miallen/.ssh/authorized_keys2
debug3: mm_answer_keyallowed: key 0x305e10 is disallowed
debug3: mm_request_send entering: type 35
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: mm_solaris_audit_bad_pw entering
debug3: mm_request_send entering: type 45
Failed publickey for miallen from 192.168.2.16 port 33296 ssh2
debug3: mm_solaris_audit_bad_pw entering
debug3: mm_request_send entering: type 45
debug3: monitor_read: checking request 45
debug3: mm_answer_bad_pw
debug3: mm_request_receive entering
debug3: monitor_read: checking request 45
debug3: mm_answer_bad_pw
debug3: mm_request_receive entering
debug1: userauth-request for user miallen service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=miallen devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices 
debug3: mm_solaris_audit_bad_pw entering
debug3: mm_request_send entering: type 45
Failed keyboard-interactive for miallen from 192.168.2.16 port 33296 ssh2
debug3: mm_solaris_audit_bad_pw entering
debug3: mm_request_send entering: type 45
debug3: monitor_read: checking request 45
debug3: mm_answer_bad_pw
debug3: mm_request_receive entering
debug3: monitor_read: checking request 45
debug3: mm_answer_bad_pw
debug3: mm_request_receive entering
Connection closed by 192.168.2.16

Here is the eqivalent client output but to Linux server with which
Kerberos works.

debug1: Host 'nano.foo.net' is known and matches the RSA host key.
debug1: Found key in /home/miallen/.ssh/known_hosts:10
debug2: bits set: 521/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/miallen/.ssh/identity ((nil))
debug2: key: /home/miallen/.ssh/id_rsa (0x9600678)
debug2: key: /home/miallen/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug2: channel 0: request shell confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
Last login: Wed Jun 14 14:56:39 2006 from quark.foo.net

So it seems the visible difference is that the "Authentications that
can continue" line chooses gssapi-with-mic whereas with the Mac Mini it
lists gssapi but publickey is chosen instead.

Is there an option to favor one method over another?

> > Any ideas?
> 
> Yes. Did you push the "kerberize this server" button on the server you want
> to log in to?

No. Where is that button exactly? This is just a mini with 10.3 BTW.

Mike

-- 
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/

More information about the Kerberos mailing list