Dear developers, to my previous post I have some additional info. I just erased all the krb5 data and set it up from scratch. Now the message in sshd debug changed to: debug1: Miscellaneous failure (see text) Decrypt integrity check failed debug1: Got no client credentials Failed gssapi-with-mic for komanek .... So it seems the problem is somewhere in the kerberos, not in openssh. Is here anybody on the list who can confirm this ? Thanks in advance, David Komanek original post follows: Dear developers, I am already playing with openssh + heimdal krb5 + gssapi on Tru64Unix 5.1a and Irix 6.5.20, but with no much success. The worst problem I experience is following: - gethostbyname on tru64unix returns short host name instead of fqdn. But even if I overcome this problem by appending the domain name to the lname variable in gss-genr.c file and get over this problem, gss-api does not work well. If the hostname is in fqdn format and is accepted by gssapi and I run the daemon on tru64unix as ./sshd -p 2222 -d -d -d I get the following: debug2: input_userauth_request: try method gssapi-with-mic debug3: entering: type 37 debug3: entering: type 38 debug3: entering debug3: : checking request 37 debug3: entering: type 38 debug3: entering Postponed gssapi-with-mic for komanek from xxx.xxx.xxx.xxx port 57083 ssh2 Where should I search for the problem - in OpenSSH code or in Heimdal code ? What actually this "postpone" means ? It seems very strange to me, because if the sshd server is running on another platform than tru64unix, it works. I already "upgraded" to latest snapshots of both openssh and heimdal with no progress in this. Thanks in advance. Sincerely, David Komanek Charles University in Prague Czech Republic
On Mon, 26 Jan 2004, David Komanek wrote:> > > Dear developers, > > to my previous post I have some additional info. I just erased all the > krb5 data and set it up from scratch. Now the message in sshd debug > changed to: > > debug1: Miscellaneous failure (see text) > Decrypt integrity check failed > debug1: Got no client credentials > Failed gssapi-with-mic for komanek .... >Do note "gssapi-with-mic" is different from the original "gssapi" and they will not communicate with each other. - Ben
> Do note "gssapi-with-mic" is different from the original "gssapi" and > they will not communicate with each other.I guessed it and I use ssh on cliend and server side exactly the same version/snapshot. The problem persists even if I am sshing from host B to B (despite the A-B-C naming in my previous post). David
On Mon, 26 Jan 2004, David Komanek wrote:> to my previous post I have some additional info. I just erased all the > krb5 data and set it up from scratch. Now the message in sshd debug > changed to:Have you verified that Kerberos itself is working? Do other Kerberized applications work correctly? Cheers, Simon.
Yes, Kerberos itself is working fine - I can get tickets etc. But I have no other app using gss api - only openssh. David>On Mon, 26 Jan 2004, David Komanek wrote: > > > >>to my previous post I have some additional info. I just erased all the >>krb5 data and set it up from scratch. Now the message in sshd debug >>changed to: >> >> > >Have you verified that Kerberos itself is working? Do other Kerberized >applications work correctly? > >Cheers, > >Simon. > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >