Hello All,
I noticed some different behaviour of GSSAPI Authentication mechanism in SSH
and like to know the reasons for such behaviour.
If I try GSSAPI auth for a user whose principal is not stored in KDC, the
GSSAPI auth method is tried 2 times and it fails. If the user is stored in
KDC and not having valid credentials, then SSHD tries GSSAPI one time and
fails. The interesting part of this scenario is that client requests two
time GSSAPI auth. whether the user is stored in KDC or not and this can be
seen in the following debug,
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
But why there is difference in behaviour of SSHD based on the users
availability in KDC? It would be very much helpful to know the reasons for
such a behaviour.
Thanks,
Senthil Kumar.
