Hi, I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's GSSAPI & AFS integration. A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 to the lastest and greatest 1.3.5. However, it seems that as part of the upgrade, our GSSAPI credentials passing in OpenSSH stopped working. Actually, didn't completely stop... You can still do a GSSAPI-based logon to the same machine, e.g. machine1> ssh machine1 works. machine1> ssh machine2 doesn't. Weirdo, eh? I'm pretty familar with the Kerb APIs, however, not so much with the GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's going on at the Kerb level, so it's hard to tell what's going on. Any takers? -- Robert Banz (banz at umbc.edu) UMBC Office of Information Technology (410) 455-3933 fax: (410) 455-1065
* Robert Banz [2004-10-25 12:42:30 -0400]:> I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's > GSSAPI & AFS integration. > > A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 > to the lastest and greatest 1.3.5. However, it seems that as part of > the upgrade, our GSSAPI credentials passing in OpenSSH stopped working.[...]> I'm pretty familar with the Kerb APIs, however, not so much with the > GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's > going on at the Kerb level, so it's hard to tell what's going on.There are still a few things you can do to facilitate debugging: 1. Look at your credentials cache before and after the authentication attempt. Did you get a valid ticket for host/re.mo.te ? 2. Run sshd -ddd and ssh -vvv against each other, capturing the output at both ends. This may help you figure out whether the problem is client- or server-side. 3. Read the KDC's logs. 4. Capture the actual packets between the ssh client and the KDC. With a little practice, one can read the hex dumps directly (at least the cleartext portions; that should be enough for this purpose). Some versions of tcpdump may have good enough Kerberos parsing support to save you even this trouble. Have you tried using the fully-qualified domain name of the remote host? Your symptoms may well denote a DNS problem.