[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem: default realm in openssh

To: Johan Danielsson <joda@pdc.kth.se>
Subject: Re: problem: default realm in openssh
From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
Date: Tue, 25 Nov 2003 09:48:59 +0100 (CET)
cc: heimdal-discuss@sics.se
In-Reply-To: <xofisl9r76n.fsf@blubb.pdc.kth.se>
References: <3FB3D29A.2040202@alcatel.com> <amn0azkjb5.fsf@nutcracker.stacken.kth.se><Pine.OSF.4.51.0311181821060.252694@tao.natur.cuni.cz> <xofy8ucvdba.fsf@blubb.pdc.kth.se><Pine.OSF.4.51.0311191314520.384034@tao.natur.cuni.cz><Pine.OSF.4.58.0311231716200.171279@lib-eth.natur.cuni.cz><xofhe0usxsy.fsf@blubb.pdc.kth.se> <Pine.OSF.4.58.0311241217270.401003@lib-eth.natur.cuni.cz><xofvfp9ri9d.fsf@blubb.pdc.kth.se> <Pine.OSF.4.58.0311241831140.401003@lib-eth.natur.cuni.cz><xofisl9r76n.fsf@blubb.pdc.kth.se>
Sender: owner-heimdal-discuss@sics.se

Well, I have no idea what these tests are doing :-) I tried to use it as
follows:

gssapi_server

kinit ....
gssapi_client --service=hprop hostname     (hprop as any other service here is good ?)

Outputs:

both server and client on host A:

User is `komanek@NATUR.CUNI.CZ'
gss_verify_mic: hej
gss_unwrap: hemligt

both server and client on B:

User is `komanek@NATUR.CUNI.CZ'
prfdec# gss_verify_mic: hej
gss_unwrap: hemligt

server on A, client on B:

A: gssapi_server: gss_accept_sec_context
A: Error 0
B: gssapi_client: EOF in read

server on B, client on A:

A: gssapi_client: EOF in read
B: gssapi_server: gss_accept_sec_context
B: Successful

Can you or anybody else on this list explain these results ? Do you have
some suggestion where to go more deeply ?

But, I think I have found something very interesting - as I already have
written before, connection from B to A with tiket works only if I use
fully qualified target hostname, not with the short form. Today I tried
the same, but with IP address instead. Debug output from openssh seems to
be more descriptive about what is wrong:

debug1: Next authentication method: gssapi
debug2: we sent a gssapi packet, wait for reply
debug1:  Miscellaneous failure (see text)
Server (krbtgt/113.56.251@NATUR.CUNI.CZ) unknown

debug1: Trying to start again
debug2: we did not send a packet, disable method

The IP address of the target is 195.113.56.251, not 113.56.251. I suppose
the lines "Miscelaneous failure ...." and "Server ...." are not from
openssh itself but from heimdal, right ? So all the wear and tear is
result of some bad parsing routine dealing with hostname ?

Thanks again,

  David

> David Komanek <xdavid@lib-eth.natur.cuni.cz> writes:
>
> > Please, do you have some small test program to see if heimdal gssapi
> > itself works well ?
>
> There are test programs in appl/test.
>
> /Johan
>

References:
- how to forward tickets
  - From: Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com>
- Re: how to forward tickets
  - From: Love <lha@stacken.kth.se>
- krb4 ticket not accepted
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: krb4 ticket not accepted
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: krb4 ticket not accepted
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- problem: default realm in openssh
  - From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
- Re: problem: default realm in openssh
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: problem: default realm in openssh
  - From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
- Re: problem: default realm in openssh
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: problem: default realm in openssh
  - From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
- Re: problem: default realm in openssh
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: problem: default realm in openssh
Next by Date: [Fwd: Re: ssh + kerberosV]
Prev by thread: Re: problem: default realm in openssh
Next by thread: how to kinit without entering password from keyboard?
Index(es):
- Date
- Thread