John Marshall
2009-Sep-21 07:05 UTC
How to generate additional debug messages for sshd gssapi failures?
I'm trying to troubleshoot gssapi_with_mic authentication with OpenSSH
5.2p1 on FreeBSD 8.0.
If I run sshd with maximum debug "sshd -ddd" the most detail I get is:
GSSAPI MIC check failed
That comes from line 282 in auth2-gss.c
279 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf,
&mic))))
280 authenticated =
PRIVSEP(ssh_gssapi_userok(authctxt->user));
281 else
282 logit("GSSAPI MIC check failed");
283
I think that's as much help as I can get from sshd. I'd like to add
some printf's to that else clause so that I can see the reason codes
returned by the gssapi routines. I'm not a programmer. Can anybody
give me any hints as to what to put here?
Is there any chance of enhancing the error reporting at that point in a
future release so that debug logging produces useful output?
Thank you for your help.
--
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090921/47312979/attachment.bin>
Jim Basney
2009-Sep-22 20:21 UTC
How to generate additional debug messages for sshd gssapi failures?
Maybe this will help with troubleshooting. It may require setting
UsePrivilegeSeparation no in sshd_config to get a useful error message.
Index: auth2-gss.c
==================================================================RCS file:
/cvs/openssh/auth2-gss.c,v
retrieving revision 1.19
diff -u -r1.19 auth2-gss.c
--- auth2-gss.c 2 Dec 2007 11:59:45 -0000 1.19
+++ auth2-gss.c 22 Sep 2009 20:17:11 -0000
@@ -278,8 +278,17 @@
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
- else
+ else {
+ char *errstr;
+ OM_uint32 maj,min;
+
logit("GSSAPI MIC check failed");
+ errstr=ssh_gssapi_last_error(gssctxt,&maj,&min);
+ if (errstr) {
+ debug("GSSAPI ERROR maj=%u, min=%u\n%s", maj, min, errstr);
+ xfree(errstr);
+ }
+ }
buffer_free(&b);
xfree(mic.value);
John Marshall wrote:> I'm trying to troubleshoot gssapi_with_mic authentication with OpenSSH
> 5.2p1 on FreeBSD 8.0.
>
> If I run sshd with maximum debug "sshd -ddd" the most detail I
get is:
>
> GSSAPI MIC check failed
>
> That comes from line 282 in auth2-gss.c
>
> 279 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt,
&gssbuf, &mic))))
> 280 authenticated =
PRIVSEP(ssh_gssapi_userok(authctxt->user));
> 281 else
> 282 logit("GSSAPI MIC check failed");
> 283
>
> I think that's as much help as I can get from sshd. I'd like to
add
> some printf's to that else clause so that I can see the reason codes
> returned by the gssapi routines. I'm not a programmer. Can anybody
> give me any hints as to what to put here?
>
> Is there any chance of enhancing the error reporting at that point in a
> future release so that debug logging produces useful output?
>
> Thank you for your help.
John Marshall
2009-Oct-02 07:24 UTC
How to generate additional debug messages for sshd gssapi failures?
On Tue, 22 Sep 2009, 15:21 -0500, Jim Basney wrote:> Maybe this will help with troubleshooting. It may require setting > UsePrivilegeSeparation no in sshd_config to get a useful error message. > > Index: auth2-gss.c > ==================================================================> RCS file: /cvs/openssh/auth2-gss.c,v > retrieving revision 1.19 > diff -u -r1.19 auth2-gss.cThank you Jim, That provided me with enough clues to do the troubleshooting I needed to do. The problem ended up being a gssapi-with-mic compatibility issue between Kerberos implementations on the client and server. -- John Marshall -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20091002/3e902aa2/attachment.bin>