{"id":206,"date":"2011-08-17T19:06:38","date_gmt":"2011-08-18T00:06:38","guid":{"rendered":"http:\/\/www.soljerome.com\/blog\/?p=206"},"modified":"2011-08-17T19:06:38","modified_gmt":"2011-08-18T00:06:38","slug":"debugging-openssh-gssapiauthentication","status":"publish","type":"post","link":"https:\/\/www.soljerome.com\/blog\/2011\/08\/17\/debugging-openssh-gssapiauthentication\/","title":{"rendered":"Debugging OpenSSH GSSAPIAuthentication"},"content":{"rendered":"<p>This is just a quick post to show how I go about debugging problems with\u00a0GSSAPIAuthentication. You want to debug both the server side and the client side, so the first thing to do is start a new instance of the openssh server in the foreground on a different port.<\/p>\n<pre># `which sshd` -o \"GSSAPIAuthentication yes\" -d -D -p 2222\r\ndebug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu7\r\ndebug1: read PEM private key done: type RSA\r\ndebug1: Checking blacklist file \/usr\/share\/ssh\/blacklist.RSA-2048\r\ndebug1: Checking blacklist file \/etc\/ssh\/blacklist.RSA-2048\r\ndebug1: private host key: #0 type 1 RSA\r\ndebug1: read PEM private key done: type DSA\r\ndebug1: Checking blacklist file \/usr\/share\/ssh\/blacklist.DSA-1024\r\ndebug1: Checking blacklist file \/etc\/ssh\/blacklist.DSA-1024\r\ndebug1: private host key: #1 type 2 DSA\r\ndebug1: rexec_argv[0]='\/usr\/sbin\/sshd'\r\ndebug1: rexec_argv[1]='-d'\r\ndebug1: rexec_argv[2]='-D'\r\ndebug1: rexec_argv[3]='-p'\r\ndebug1: rexec_argv[4]='2222'\r\ndebug1: Bind to port 2222 on 0.0.0.0.\r\nServer listening on 0.0.0.0 port 2222.\r\ndebug1: Bind to port 2222 on ::.\r\nServer listening on :: port 2222.<\/pre>\n<p>This will start up the ssh server listening on port 2222 with debugging turned on. Then you need to try connecting to this instance from the client that is unable to connect.<\/p>\n<pre>$ ssh -o \"GSSAPIAuthentication yes\" -vvv -p 2222 server.example.com<\/pre>\n<p>This will output a ton of information on both the server and the client which should help you figure out why you are unable to login using\u00a0GSSAPIAuthentication. Some common pittfalls to keep in mind<\/p>\n<ul>\n<li>Make sure you have GSSAPIAuthentication turned on either globally or for the user trying to login (this is done for you in the examples above, so if things work then this may be your problem).<\/li>\n<li>Make sure you have created a host principal for the ssh server and have added it to that machine&#8217;s\u00a0<code>\/etc\/krb5.keytab<\/code><\/li>\n<ul>\n<li>You can test this by logging into the ssh server and running <code>klist -k<\/code>.\n<pre># klist -k\r\n\tKeytab name: WRFILE:\/etc\/krb5.keytab\r\n\tKVNO Principal\r\n\t---- --------------------------------------------------------------------------\r\n\t   2 host\/server.example.com@EXAMPLE.COM\r\n\t   2 host\/server.example.com@EXAMPLE.COM\r\n\t   2 host\/server.example.com@EXAMPLE.COM\r\n\t   2 host\/server.example.com@EXAMPLE.COM<\/pre>\n<\/li>\n<\/ul>\n<li>If none of these steps turn up anything useful, check the kdc logs for errors.<\/li>\n<\/ul>\n<p>Please note that the environment referred to above is using MIT Kerberos. I would expect the methods for debugging other software to be similar, but I cannot guarantee that the kerberos-related commands will be the same.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is just a quick post to show how I go about debugging problems with\u00a0GSSAPIAuthentication. You want to debug both the server side and the client side, so the first thing to do is start a new instance of the openssh server in the foreground on a different port. # `which sshd` -o &#8220;GSSAPIAuthentication yes&#8221; <a href='https:\/\/www.soljerome.com\/blog\/2011\/08\/17\/debugging-openssh-gssapiauthentication\/' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,3,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/206"}],"collection":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":4,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"predecessor-version":[{"id":211,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/206\/revisions\/211"}],"wp:attachment":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}