AIX 5.3 and GSSAPI - SSH

This is a discussion on AIX 5.3 and GSSAPI - SSH ; I've spent the last few days playing with GSSAPI auth on an AIX 5.3 server (4.1P1) with no success, I've already got this running perfectly using on a linux testbed system using our AD as KDC using Windows 2000 with ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: AIX 5.3 and GSSAPI

  1. AIX 5.3 and GSSAPI

    I've spent the last few days playing with GSSAPI auth on an AIX 5.3
    server (4.1P1) with no success, I've already got this running perfectly
    using on a linux testbed system using our AD as KDC using Windows 2000
    with Putty (0.56b2 GSSAPI) as a client terminal. The AIX system is
    correctly allowing users to authorise against KRB5A but the GSSAPI
    single sign on from a client never seems to work.

    The debug log from SSHD fails during gssapi-with-mic as follows:

    debug1: userauth-request for user ianclark service ssh-connection method
    gssapi-with-mic
    debug1: attempt 1 failures 1
    debug2: input_userauth_request: try method gssapi-with-mic
    debug3: mm_request_send entering: type 37
    debug3: mm_request_receive_expect entering: type 38
    debug3: monitor_read: checking request 37
    debug3: mm_request_receive entering
    debug1: Miscellaneous failure
    No principal in keytab matches desired name

    debug3: mm_request_send entering: type 38
    debug3: mm_request_receive entering

    We have created a host principle and installed it in the krb5 keytab as
    per normal, SSHD doesn't need a service principle ?, but what principle
    is SSHD looking for and what name ? Gssapi-with-mic is clearly being
    attempted, with this error, putty returns an unable to initialise gssapi
    context, yet connects to the Linux system immediately.

    I'm a little confused, because our linux test worked within minutes of
    configuration, any ideas ?



  2. Re: AIX 5.3 and GSSAPI


    > I've spent the last few days playing with GSSAPI auth on an AIX 5.3
    > server (4.1P1) with no success, I've already got this running perfectly
    > using on a linux testbed system using our AD as KDC using Windows 2000
    > with Putty (0.56b2 GSSAPI) as a client terminal. The AIX system is
    > correctly allowing users to authorise against KRB5A but the GSSAPI
    > single sign on from a client never seems to work.
    >
    > The debug log from SSHD fails during gssapi-with-mic as follows:
    >
    > debug1: userauth-request for user ianclark service ssh-connection method
    > gssapi-with-mic
    > debug1: attempt 1 failures 1
    > debug2: input_userauth_request: try method gssapi-with-mic
    > debug3: mm_request_send entering: type 37
    > debug3: mm_request_receive_expect entering: type 38
    > debug3: monitor_read: checking request 37
    > debug3: mm_request_receive entering
    > debug1: Miscellaneous failure
    > No principal in keytab matches desired name
    >
    > debug3: mm_request_send entering: type 38
    > debug3: mm_request_receive entering
    >
    > We have created a host principle


    The word is "principal."

    > and installed it in the krb5 keytab as
    > per normal, SSHD doesn't need a service principle ?,


    Yes, it does, as does any kerberized service. In this case, the service
    principal *is* the host principal (as opposed to one referring
    specifically to a protocol, e.g. imap/@REALM).

    > but what principle is SSHD looking for and what name ?


    host/@REALM

    Possible problems:

    - The host may not have the right fqdn. Check the result of
    gethostbyaddr(gethostbyname(hostname)).

    - Properties of the key may be incorrect with respect to the copy in the
    kdb. Most common are the key version number (kvno) and key type. This
    is very easy to get wrong when using a Windows KDC directly, since the
    tool ktpass.exe is misleading and buggy.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread