Problem solved. Cause: time skew. Kerberos doesn't work when the two
machines' clocks are off by more than some number (5?) of minutes.
The "kadmin" program can tell when this has happened. When I tried to
run "kadmin" from the broken machine, it said:
"kadmin: Clock skew too great in KDC reply while initializing kadmin
interface"
Neither ssh nor sshd gives any clue what the problem is... I wonder if
it would be possible to detect and report this error on either end?
Somehow I doubt I'll be the last person to forget to make sure ntpd is
running after a reboot.
Eric
On Tue, Jul 24, 2001 at 05:32:33PM -0500, Eric Seppanen
wrote:> I've been installing OpenSSH 2.9p2 onto several RedHat Linux machines,
> after compiling in the GSSAPI/Kerberos5 patch from here:
> http://www.sxw.org.uk/computing/patches/openssh.html
>
> I've been using ssh both to let users in via passwords and Kerberos
> tickets, and both have been working fine...
>
> except for one irritating machine, which (for no good reason I can see)
> fails when using kerberos tickets. (it works fine when using
> passwords.) This is a Red Hat 7.1 machine, and the failure is:
> (the user sees:)
> [eds at ike eds]$ ssh hulk
> Connection closed by 208.24.105.2
>
> (the server log reads:)
> Jul 24 16:37:41 hulk sshd[25687]: fatal: gss_accept_context died
>
> (if I run sshd -d I see:)
> Connection from 208.24.105.19 port 2847
> debug1: Client protocol version 2.0; client software version
> OpenSSH_2.9p2
> debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_2.9p2
> debug1: Rhosts Authentication disabled, originating port not trusted.
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: Wait SSH2_MSG_GSSAPI_INIT
> debug1: Miscellaneous failure
> debug1: Unknown code z 0
> debug1: Got no client credentials
> gss_accept_context died
> debug1: Calling cleanup 0x8068fe0(0x0)
>
>
> I've built source and binary RPMS. Anyone interested can find them at
> http://www.reric.net/linux/openssh/
>
> Anyone have any ideas what's wrong?
>
> Eric