From owner-ssh@clinet.fi Thu Jul 16 23:23:17 1998 Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7]) by hutcs.cs.hut.fi (8.8.8/8.8.8) with ESMTP id XAA02522; Thu, 16 Jul 1998 23:23:16 +0300 (EET DST) Received: (from majordom@localhost) by lohi.clinet.fi (8.9.1/8.9.0) id XAA05360 for ssh-outgoing; Thu, 16 Jul 1998 23:20:10 +0300 (EEST) X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ssh@clinet.fi using -f Received: from postal.isc.rit.edu (postal.isc.rit.edu [129.21.3.113]) by lohi.clinet.fi (8.9.1/8.9.0) with ESMTP id XAA05355 for ; Thu, 16 Jul 1998 23:20:07 +0300 (EEST) Received: from reactor by osfmail.isc.rit.edu (PMDF V5.1-10 #27553) with SMTP id <0EW700G4QEXMJ4@osfmail.isc.rit.edu> for ssh@clinet.fi; Thu, 16 Jul 1998 16:15:22 -0400 (EDT) Date: Thu, 16 Jul 1998 16:17:13 -0400 From: Jeff Mahoney Subject: SSH 1.2.26, Kerberos under Ultrix To: ssh@clinet.fi Message-id: <086e01bdb0f6$b88e5160$1ffd1581@reactor.isc.rit.edu> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 4.72.3110.5 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 X-Priority: 3 Sender: owner-ssh@clinet.fi Precedence: bulk Hi. I recently installed SSH v1.2.26 on one of by ultrix boxes, and I'm having some trouble with the Kerberos support. This machine uses kerberos for all of its authenticated services, and I'm puzzled as to why SSH doesn't like it. I looked through the FAQ and the mailing list, and found nothing.. Here's two situations and the corresponding error messages: _Scenario 1_ Logging in from my machine at work; Not part of the Kerberos realm -- ticket passing fails, falls back to password, as expected. SSH Logs: Jul 16 16:07:14 elwood sshd[22898]: debug: Attempting authentication for jeffm. Jul 16 16:07:14 elwood sshd[22898]: log: WARNING: Verification of TGT indicates potential KDC spoofing: user jeffm address 129.21.253.31 Jul 16 16:07:15 elwood sshd[22898]: log: Password authentication of user jeffm using Kerberos failed: Key table entry not found Jul 16 16:07:15 elwood sshd[22898]: debug: Password authentication for jeffm failed. Kerberos KDC Log: Jul 16 16:06:33 kerberos krb5kdc[176](info): AS_REQ 129.21.60.8(88): ISSUE: authtime 900619593, jeffm@CSH.RIT.EDU for krbtgt/CSH.RIT.EDU@CSH.RIT.EDU Jul 16 16:06:33 kerberos krb5kdc[176](info): TGS_REQ 129.21.60.8(88): ISSUE: authtime 900619593, jeffm@CSH.RIT.EDU for host/elwood.csh.rit.edu@CSH.RIT.EDU _Scenario 2_ Logging in from the server that is physically next to the problem machine; It *IS* part of the Kerberos realm -- ticket forwarding should work, but fails; defaults to password; also fails SSH Log: Jul 16 16:09:12 elwood sshd[22902]: debug: Connection attempt for jeffm@CSH.RIT.EDU from jake.csh.rit.edu. Jul 16 16:09:12 elwood sshd[22902]: debug: Attempting authentication for jeffm. Jul 16 16:09:12 elwood sshd[22902]: log: Kerberos ticket authentication of user jeffm failed: Key table entry not found Jul 16 16:09:12 elwood sshd[22902]: debug: Kerberos V5 rd_req failed (Key table entry not found). Jul 16 16:09:12 elwood sshd[22902]: debug: Kerberos authentication failed for jeffm from jake.csh.rit.edu Jul 16 16:09:12 elwood sshd[22902]: debug: RSA authentication for jeffm failed. Jul 16 16:09:17 elwood sshd[22902]: log: WARNING: Verification of TGT indicates potential KDC spoofing: user jeffm address 129.21.60.12 Jul 16 16:09:17 elwood sshd[22902]: log: Password authentication of user jeffm using Kerberos failed: Key table entry not found Jul 16 16:09:17 elwood sshd[22902]: debug: Password authentication for jeffm failed. Kerberos KDC Log: Jul 16 16:08:35 kerberos krb5kdc[176](info): AS_REQ 129.21.60.8(88): ISSUE: authtime 900619715, jeffm@CSH.RIT.EDU for krbtgt/CSH.RIT.EDU@CSH.RIT.EDU Jul 16 16:08:36 kerberos krb5kdc[176](info): TGS_REQ 129.21.60.8(88): ISSUE: authtime 900619715, jeffm@CSH.RIT.EDU for host/elwood.csh.rit.edu@CSH.RIT.EDU I assume the key table entry it is referring to is the local one (host/elwood.csh.rit.edu). I've also tryed copying host/kerberos.csh.rit.edu to the keytab as well, with no change in behavior resulting. Any help that could be offered on this would be greatly appreciated. Thanks. -Jeff -- Jeffrey Mahoney System Programmer Information Systems and Computing Rochester Institute of Technology Rochester NY Ph: 716-475-2258