gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g== - SSH

This is a discussion on gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g== - SSH ; Hi guys, I have a Kerberos infrastructure and trying to do SSO via ssh to various servers within one realm. I am able to ssh with Kerberos keys to several servers (server2 for example), but not to server1. .... .... ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==

  1. gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==

    Hi guys,

    I have a Kerberos infrastructure and trying to do SSO via ssh to
    various servers within one realm. I am able to ssh with Kerberos keys
    to several servers (server2 for example), but not to server1.
    ....
    .... comparing two ssh outputs (the one that doesn't work with kerberos
    (server1) and the one that does (server2)

    client sends to server1 (kerberos doesn't work):

    debug2: kex_parse_kexinit:
    gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null

    server1 sends back:
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss



    client sends to server2: (kerberos works)

    debug2: kex_parse_kexinit:
    gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null


    server2 sends back:
    debug2: kex_parse_kexinit:
    gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss


    this is pretty much where the two outputs go different so I have a gut
    feeling that this might be why ...

    any ideas how to go about fixing this ... making server1 to offer
    gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g== as an option?

    both servers are SSH-2.0-OpenSSH_3.8.1p1
    client is OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005


    thanks in advance
    atari


  2. Re: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==


    > this is pretty much where the two outputs go different so I have a gut
    > feeling that this might be why ...


    It's the proximate reason, yes. You are showing the key exchange rather
    than user authentication which comes later, so this is not directly the
    reason why you can't log in via Kerberos. However, this indicates that
    the server does not think it can support Kerberos, so it would probably
    not work for user authentication either.

    > any ideas how to go about fixing this ... making server1 to offer
    > gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g== as an option?


    There are a number of reasons why it might not work (missing keytab,
    mismatched key version numbers, etc.). You usually get better error
    messages for Kerberos on the server side; run the server in debugging mode
    and see what it says.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread