Gssapi is failing at the following statement in sshconnect2.c, ok never gets set to 1:: ssh_gssapi_check_mechanism fails /* Check to see if the mechanism is usable before we offer it */ while (mech < gss_supported->count && !ok) { /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && ssh_gssapi_check_mechanism(&gssctxt, &gss_supported->elements[mech], authctxt->host)) { ok = 1; /* Mechanism works */ } else { mech++; } } The debug errors are: debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Unknown code debug1: Unspecified GSS failure. Minor code may provide more information Unknown code debug1: Unspecified GSS failure. Minor code may provide more information
4 servers all running various versions of OpenSuse and all have openssh5.2.p1 I have complete control on the configurations, including kerberos. RIght now I'd like to get gssapi working consistently and then move to implementing Russ Alberry's pam_krb5 module. For debugging I'l looking at krb5kdc.log on the krb5 server as well as strace of both openssh clients and servers. There needs to be better error messaging from openssh for sure. Should I upgrade all the servers to the same version of gssapi? server ookpik openSUSE 11.1 (x86_64) VERSION = 11.1 /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/sasl2/libgssapiv2.so /usr/lib64/sasl2/libgssapiv2.so.2 /usr/lib64/sasl2/libgssapiv2.so.2.0.22 server nuiqsut openSUSE 11.1 (i586) VERSION = 11.1 /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib/sasl2/libgssapiv2.so /usr/lib/sasl2/libgssapiv2.so.2 /usr/lib/sasl2/libgssapiv2.so.2.0.22 server redcloud SUSE LINUX 10.1 (X86-64) VERSION = 10.1 /lib/modules/2.6.16.27-0.9-default/kernel/net/sunrpc/auth_gss/rpcsec_gss_krb5.ko /lib/modules/2.6.16.27-0.9-xen/kernel/net/sunrpc/auth_gss/rpcsec_gss_krb5.ko /lib/security/pam_krb5.so /lib/security/pam_krb5afs.so /lib64/security/pam_krb5 /lib64/security/pam_krb5.so /lib64/security/pam_krb5/pam_krb5_storetmp /lib64/security/pam_krb5afs.so /usr/lib/baselibs-32bit/bin/krb5-config /usr/lib/freeradius/rlm_krb5-1.1.0.so /usr/lib/freeradius/rlm_krb5.so /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib/libkrb5.so /usr/lib/libkrb5.so.3 /usr/lib/libkrb5.so.3.2 /usr/lib/libkrb5support.so /usr/lib/libkrb5support.so.0 /usr/lib/libkrb5support.so.0.0 /usr/lib/mit/bin/krb5-config /usr/lib/mit/bin/krb524init /usr/lib/mit/sbin/krb5-send-pr /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/libkrb5.so /usr/lib64/libkrb5.so.3 /usr/lib64/libkrb5.so.3.2 /usr/lib64/libkrb5support.so /usr/lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so.0.0 /usr/lib64/postgresql/backup/libkrb5.so.17 server geronimo openSUSE 10.3 (X86-64) VERSION = 10.3 /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib64/libgssapi.a /usr/lib64/libgssapi.la /usr/lib64/libgssapi.so /usr/lib64/libgssapi.so.2 /usr/lib64/libgssapi.so.2.0.0 /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/pkgconfig/libgssapi.pc /usr/lib64/sasl2/libgssapiv2.so /usr/lib64/sasl2/libgssapiv2.so.2 /usr/lib64/sasl2/libgssapiv2.so.2.0.22