This is just a quick post to show how I go about debugging problems with GSSAPIAuthentication. You want to debug both the server side and the client side, so the first thing to do is start a new instance of the openssh server in the foreground on a different port.
# `which sshd` -o "GSSAPIAuthentication yes" -d -D -p 2222 debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu7 debug1: read PEM private key done: type RSA debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-D' debug1: rexec_argv[3]='-p' debug1: rexec_argv[4]='2222' debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. debug1: Bind to port 2222 on ::. Server listening on :: port 2222.
This will start up the ssh server listening on port 2222 with debugging turned on. Then you need to try connecting to this instance from the client that is unable to connect.
$ ssh -o "GSSAPIAuthentication yes" -vvv -p 2222 server.example.com
This will output a ton of information on both the server and the client which should help you figure out why you are unable to login using GSSAPIAuthentication. Some common pittfalls to keep in mind
- Make sure you have GSSAPIAuthentication turned on either globally or for the user trying to login (this is done for you in the examples above, so if things work then this may be your problem).
- Make sure you have created a host principal for the ssh server and have added it to that machine’s
/etc/krb5.keytab
- You can test this by logging into the ssh server and running
klist -k
.# klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/server.example.com@EXAMPLE.COM 2 host/server.example.com@EXAMPLE.COM 2 host/server.example.com@EXAMPLE.COM 2 host/server.example.com@EXAMPLE.COM
- If none of these steps turn up anything useful, check the kdc logs for errors.
Please note that the environment referred to above is using MIT Kerberos. I would expect the methods for debugging other software to be similar, but I cannot guarantee that the kerberos-related commands will be the same.
Thank you very much for this wonderful article. I have been banging my head for 2 days now getting passwordless SSH GSSAPI authentication to work between a Samba 4.1.11 DC and a Linux client. It turns out I am just missing a keytab entry. Once I added it everything works!
Thanks again bro!
Hi Rommel, could you please give me conf how you implemented GSSapi using samba..