Ok here is my limited understanding of the issues. OpenSSH only supports
KRB5 using the protocol 1 out of the box. The support for protocol 2 is
via the GSS-API protocol that is still in IETF until March of next year.
Simon Wilkinson from England does the code port for this (but his site
seems to have died today for some reason).
Now here is the other problem, the commercial version of the SSH uses
its own mechanism to authenticate via SSH in the early 3.0 series. This
work was done by a fellow at Sandia by the name of Glen Machin(sp). I
have heard this uses a completely different method that isnt ported to
OpenSSH at all. I have also heard that it isnt included in the latest
SSH.com code either, but I do not know much beyond that.
So for your case at Sandia, I think you will have to try
ssh -1 to your server to see if kerberos will work.
On Tue, 2002-10-22 at 15:31, Phil wrote:>
> I built openssh 3.5p1 with (--with-kerberos5=DIR) krb5-1.2.6 and
> openssl 0.9.6g on RedHat 7.2 and been trying to get it to talk with a
> commercial ssh, identified in the ssh -v output snippet below:
>
> .
> .
> .
> debug1: Remote protocol version 1.99, remote software version 3.0.1
F-SECURE SSH SNL1.0
> debug1: match: 3.0.1 F-SECURE SSH SNL1.0 pat 3.0.*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.5p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> .
> .
> .
> but it fails near the end like this:
>
> .
> .
> .
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue: kerberos-tgt-2 at
ssh.com,kerberos-1 at ssh.com,password,hostbased
> debug1: no more auth methods to try
> Permission denied (kerberos-tgt-2 at ssh.com,kerberos-1 at
ssh.com,password,hostbased).
> debug1: Calling cleanup 0x80641a4(0x0)
>
>
> I've put
>
> KerberosAuthentication yes
>
> into ssh_config.
>
> I'm not an expert, so any advice about what I'm missing would be
> greatly appreciated.
>
> TIA.
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Labrador CCN-2 B-Schedule PH:
Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545