search for: ssh_gssapi_userok

....0. If I run sshd with maximum debug "sshd -ddd" the most detail I get is: GSSAPI MIC check failed That comes from line 282 in auth2-gss.c 279 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 280 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 281 else 282 logit("GSSAPI MIC check failed"); 283 I think that's as much help as I can get from sshd. I'd like to add some printf's to that else clause so that I can see the reason codes returned by the gssapi routin...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...ey type could be added for dealing with named keys, that is, names which can be authenticated (e.g., certificate names, Kerberos principal names). The neat thing is that auth2.c:user_key_allowed() is key-type independent (so arguably it doesn't belong in auth2.c), and thus could be called from ssh_gssapi_userok() [instead of, or in addition to the GSS mechanism specific *userok() methods]. The only questions, in my mind, are - how to format key names for use in authorized_keys2? I propose starting the key blob with 'name:' followed by a possibly null mechanism name, another ':' a...

...GSSAPI context"); + + gssctxt = authctxt->methoddata; + + /* + * We don't need to check the status, because the stored credentials + * which userok uses are only populated once the context init step + * has returned complete. + */ + + packet_check_eom(); + + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); + + authctxt->postponed = 0; + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); + userauth_finish(authctxt, authenticated, "gssapi"); +} + +A...