Date: Mon, 10 Dec 2001 10:29:09 +1000 From: "BizNet International" <Robak@Comnorth.com.au> To: <freebsd-questions@FreeBSD.ORG> Subject: SSH and Kerberos Message-ID: <004701c18111$b0a33e40$f900a8c0@ifl.biz.net.au>
next in thread | raw e-mail | index | archive | help
A search of the archives reveals that this problem has been discussed a few
times before, but a definitive solution has not been posted.
The problem often posts as 'SSH doesn't work sometimes'. In my case it only
works when the computer is connected to the internet (ijppp), or soon after
it has been connected, or indefinitely if a shell remains connected,
including, it appears, telnet.
When connected, TCPdump yealds
09:35:41.802560 203.87.59.222.3999 > 203.87.59.2.domain: 48014+
TXT?krb5-realm.biz.net.au. (39)
09:35:42.802521 203.87.59.222.3999 > 203.87.59.2.domain: 19111+
TXT?_kerberos.biz.net.au. (38)
09:35:43.142972 203.87.59.222.3999 > 203.87.59.2.domain: 17597+
TXT?krb5-realm.net.au. (35)
09:35:43.621368 203.87.59.222.3999 > 203.87.59.2.domain: 28547+
TXT?_kerberos.net.au. (34)
09:35:43.936708 203.87.59.222.3999 > 203.87.59.2.domain: 29436+
TXT?krb5-realm.au. (31)
09:35:44.207274 203.87.59.222.3999 > 203.87.59.2.domain: 17717+
TXT?_kerberos.au. (30)
It then Gives up, and let's Local password have a go, and success!
When not connected, keeps trying krb5-realm.biz.net.au and
_kerberos.biz.net.au, of course, timing out, for over the 120 seconds set
timeout. It may stumble through if I extend the timeout, I forgot to check
that, and I am now connected and it will work. (ps- Does that sound like the
leaky roof?)
(My BSD box thinks it is servier.ifl.biz.net.au, and is the master of
ifl.biz.net.au. The rest of the planet may disagree. biz.net.au is the
domain name of my employer.)
For my money, Disabling Kerberos in ssh would be a good idea. But.....
The sections of the sshd_config file responsible (I think) are -
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
Enabling any of these lines causes sshd to fail
servier# /usr/sbin/sshd
/etc/ssh/sshd_config: line 46: Bad configuration option:
KerberosAuthentication
fatal: /etc/ssh/sshd_config: terminating, 1 bad configuration options
I just checked in the man page - it's spelt the same in there.
with the KerberosAuthentication line re-commented, ssh-d shows the
following. A ssh -v connection was made, output follows. (Connected, so the
ssh conection works)
I will do both of these next time it fails.
servier# sshd -d
debug: sshd version OpenSSH_2.2.0
debug: read DSA private key done
debug: Bind to port 22 on ::.
Server listening on :: port 22.
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from servier.ifl.biz.net.au port 1015
Connection from 192.168.0.20 port 1015
debug: Client protocol version 1.5; client software version OpenSSH_2.2.0
debug: Local version string SSH-1.99-OpenSSH_2.2.0
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for robbak.
Accepted password for robbak from 192.168.0.20 port 1015
debug: session_new: init
debug: session_new: session 0
debug: Allocating pty.
debug: Entering interactive session.
debug: Setting controlling tty using TIOCSCTTY.
debug: no set_nonblock for tty fd 3
debug: no set_nonblock for tty fd 4
debug: server_init_dispatch_13
debug: server_init_dispatch_15
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: tvp!=NULL kid 0 mili 10
debug: Received SIGCHLD.
debug: tvp!=NULL kid 1 mili 10
debug: tvp!=NULL kid 1 mili 100
debug: End of interactive session; stdin 1, stdout (read 745, sent 745),
stderr
0 bytes.
debug: Command exited with status 0.
debug: Received exit confirmation.
debug: session_pty_cleanup: session 0 release /dev/ttyp4
Closing connection to 192.168.0.20
servier# ssh -v robbak@servier
SSH Version OpenSSH_2.2.0, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to servier.ifl.biz.net.au [192.168.0.20] port 22.
debug: Allocated local port 1015.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.2.0
debug: Local version string SSH-1.5-OpenSSH_2.2.0
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'servier.ifl.biz.net.au' is known and matches the RSA host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying Kerberos V5 authentication.
debug: Doing password authentication.
robbak@servier.ifl.biz.net.au's password:
debug: Requesting pty.
debug: Requesting shell.
debug: Entering interactive session.
Last login: Fri Nov 9 10:07:56 2001 from servier.ifl.biz.
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.2-RELEASE (GENERIC) #0: Mon Nov 20 13:02:55 GMT 2000
Welcome to FreeBSD!
If you wish to force the modem to disconnect, type disconnect.
debug: krb5_cleanup_proc() called
Environment:
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
:/
usr/X11R6/bin:/home/robbak/bin
MAIL=/var/mail/robbak
BLOCKSIZE=K
FTP_PASSIVE_MODE=YES
USER=robbak
LOGNAME=robbak
HOME=/home/robbak
SHELL=/usr/local/bin/bash
SSH_CLIENT=192.168.0.20 1015 22
SSH_TTY=/dev/ttyp4
TERM=vt100
bash-2.04$ logout
Connection to servier.ifl.biz.net.au closed.
debug: Transferred: stdin 0, stdout 746, stderr 46 bytes in 43.9 seconds
debug: Bytes per second: stdin 0.0, stdout 17.0, stderr 1.0
debug: Exit status 0
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004701c18111$b0a33e40$f900a8c0>