SSH weirdness


 
Thread Tools Search this Thread
Operating Systems Solaris SSH weirdness
# 1  
Old 11-22-2009
SSH weirdness

I've configured a new container/zone on Solaris 10 (Sparc) and I'm using Centrify for LDAP authentication to AD. My ssh client is as follows

Sun_SSH_1.1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f

I'm seeing some strange behavior from ssh. When I ssh onto the new zone to myself (non-root user) either from elsewhere or from the zone itself, I get the following error:

Server had a GSS-API error; the connection will close (851968/0):
Unspecified GSS failure. Minor code may provide more information
No error

Use the GssKeyEx option to disable GSS-API key exchange and try again.
Disconnecting: The server had a GSS-API error during GSS-API protected SSHv2 key exchange


This is accompanied by the following error in /var/adm/messages:

sshd[15808]: [ID 800047 auth.crit] fatal: accept_ctx died

The problem does NOT present if I ssh to the zone from root OR if I use the host's IP address instead of hostname. I have no problem ssh'ing away from the zone - only when inbound.

Here's the debug output from ssh -vvv:

Sun_SSH_1.1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to balloonv1 [10.38.35.100] port 22.
debug1: Connection established.
debug1: identity file /users/cmorgan/.ssh/identity type -1
debug1: identity file /users/cmorgan/.ssh/id_rsa type -1
debug1: identity file /users/cmorgan/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.1
debug1: match: Sun_SSH_1.1.1 pat Sun_SSH_1.1.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.1
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: en-AU
debug2: kex_parse_kexinit: en-AU
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: ssh_gssapi_init_ctx(706a8, balloonv1, 0, 0, ffbff714)
debug3: ssh_gssapi_import_name: snprintf() returned 14, expected 15
debug2: GSS-API Mechanism encoded as toWM5Slw5Ew8Mqkay+al2g==
debug1: SSH2_MSG_KEXINIT sent
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: en-AU
debug2: kex_parse_kexinit: en-AU
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: en-AU,en-NZ,i-default
debug2: kex_parse_kexinit: en-AU,en-NZ,i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos: en-AU,en-NZ,i-default
debug1: Peer sent proposed langtags, stoc: en-AU,en-NZ,i-default
debug1: We proposed langtags, ctos: en-AU
debug1: We proposed langtags, stoc: en-AU
debug1: Negotiated lang: en-AU
debug1: dh_gen_key: priv key bits set: 119/256
debug1: bits set: 497/1024
debug1: Calling gss_init_sec_context
debug1: ssh_gssapi_init_ctx(d2458, balloonv1, 0, 0, ffbff7d4)
debug3: ssh_gssapi_import_name: snprintf() returned 14, expected 15
debug1: Remote: Negotiated main locale: en_AU.UTF-8
debug1: Remote: Negotiated messages locale: en_AU.UTF-8
debug1: Received KEXGSS_HOSTKEY
Server had a GSS-API error; the connection will close (851968/0):
Unspecified GSS failure. Minor code may provide more information
No error

Use the GssKeyEx option to disable GSS-API key exchange and try again.
Disconnecting: The server had a GSS-API error during GSS-API protected SSHv2 key exchange

debug1: Calling cleanup 0x348a4(0x0)


Curiously, if I run kdestroy, I can then ssh sucessfully but only for that login session.

I'm not familiar with kerberos. What's happening here?

- CDM
# 2  
Old 11-23-2009
Check for existence of this file - /etc/krb5/krb5.keytab - if it's not there, create it and see what's happening.
# 3  
Old 11-23-2009
The file is there. Since the problem goes away (albeit temporarily) when I run a kdestroy, I'm thinking this might have something to do with how the host is represented in the AD directory. I spun up another zone on the same global zone and it's working perfectly fine - even though I used the exact same procedure/scripst to build the second zone.

The only difference between the two zones is that the first zone was built/destroyed/built/destroy/etc. several times over. As such, the Centrify adjoin command I used to register the hsot into AD was run several times even though the host was already registered. No errors were generated when this was done but it's the only smoking gun I can think of.

Quote:
Originally Posted by sysgate
Check for existence of this file - /etc/krb5/krb5.keytab - if it's not there, create it and see what's happening.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Ssh script to validate ssh connection to multiple serves with status

Hi, I want to validate ssh connection one after one for multiple servers..... password less keys already setup but now i want to validate if ssh is working fine or not... I have .sh script like below and i have servers.txt contains all the list of servers #/bin/bash for host in $(cat... (3 Replies)
Discussion started by: sreeram4
3 Replies

2. Shell Programming and Scripting

Joining 3 line weirdness

Hi all you Unix/Linux gurus, So, I have something strage going on and need a sanity check... I have 2 files that both contain 3 lines of text... File1 - called t: CN66270E90 94:57:a5:d3:db:aa 94:57:a5:d3:db:ab File2 - called tt: hostname 5.7.2.7 72:8C:36:3B:5A:17 (2 Replies)
Discussion started by: joeg1484
2 Replies

3. Solaris

Solaris 11 sysconfig and zones weirdness

when I create a new zone either via zfs export template or installing the OS from the .iso I get a weird problem. once I create the zone and login for the first time to the console I get the sysconfig menu. I do the config setup and exit the zone boots normally. The next time I reboot, I have to do... (0 Replies)
Discussion started by: os2mac
0 Replies

4. Solaris

Zpool device weirdness

Weird duplicate device in one of my nested raidz1s - device is shown as both online and unavailable, with a hot spare showing up as degraded as well. Any thoughts on how I should proceed? root@storage# zpool status tank pool: tank state: DEGRADED status: One or more devices are... (6 Replies)
Discussion started by: DoohanMcGirk
6 Replies

5. Shell Programming and Scripting

Ssh = ssh expect and keep everything not change include parameter postion

I have write a script which contains ssh -p 12345 dcplatform@10.125.42.50 ssh 127.0.0.1 -p 5555 "$CMD" ssh root@$GUEST_IP "$CMD" before I use public key, it works well, now I want to change to "expect", BUT I don't want to change above code and "parameter position" I can post a... (1 Reply)
Discussion started by: yanglei_fage
1 Replies

6. Shell Programming and Scripting

File path weirdness

I want to be able to drag and drop a file into a script in the terminal but it doesn't like the /home/user prefix. How do I get around this? (8 Replies)
Discussion started by: pluto7777
8 Replies

7. UNIX for Dummies Questions & Answers

gedit newline weirdness

I have this file cd /media/AUDIO/WAVE/9780743561181 ~/Desktop/mp3-to-m4b 9780743561181-UNLEASHING THE IDEA VIRUS "UNLEASHING THE IDEA VIRUS" "GODIN, SETH" 2006 n cd /media/AUDIO/WAVE/9780743561204 ~/Desktop/mp3-to-m4b 9780743561204-STALIN'S GHOST "STALIN'S GHOST" "SMITH, MARTIN" 2007 n cd... (1 Reply)
Discussion started by: glev2005
1 Replies

8. IP Networking

ftp and ssh weirdness

i've just setup my desktop (ubuntu 8.04) to run vsftpd and sshd. i have two laptops, both running linux. on one laptop i can connect to the desktop via ftp and ssh and everything works fine. so i don't think there's a problem with the server. on the other laptop i can't connect to the desktop... (3 Replies)
Discussion started by: darkmatter14B
3 Replies

9. UNIX for Dummies Questions & Answers

cygwin bash startup command weirdness (part 1)

I am running (I believe) the latest stable version of cygwin CYGWIN_NT-5.1 1.5.24(0.156/4/2) 2007-01-31 10:57 i686 Cygwin on a win xp sp2 laptop. Suppose, to make things simple for now (but I may do a part 2 posting...), that I am in a dos shell, and I want to create a bash shell and have it... (1 Reply)
Discussion started by: fabulous2
1 Replies
Login or Register to Ask a Question