Opened 4 years ago

Last modified 2 years ago

#55707 new defect

problem with kerberized ssh

Reported by: clhedrick (Charles Hedrick) Owned by:
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc:
Port: openssh

Description (last modified by mf2k (Frank Schima))

This problem occurs only in a very specific situation. It results in a failure if you try to login using ssh with a kerberos ticket. The situation:

krb5.conf has noaddresses = false, and doesn't list a kdc. In this situation Kerberos will discover the KDC from DNS. The discovery works fine for kinit. But if you try ssh you get an error. This error does not occur with noaddresses true, or if the kdc is specified. This problem does not occur with the same versions of kerberos and openssh on Linux.

debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Incorrect net address

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

Change History (3)

comment:1 Changed 4 years ago by mf2k (Frank Schima)

Port: openssh added

In the future, please use WikiFormatting, fill in the Port field and Cc the port maintainers (port info --maintainers openssh), if any.

comment:2 Changed 4 years ago by mf2k (Frank Schima)

Description: modified (diff)

comment:3 Changed 2 years ago by Ionic (Mihai Moldovan)

Can you re-test if this is still the case with the newest version (8.1p1_0)?

Rekeying was broken for quite some time, so maybe this issue is magically fixed now.

Note: See TracTickets for help on using tickets.