[OpenAFS] ssh+afs logins fail on IRIX 6.5.15

David R. Steiner david.r.steiner@Dartmouth.EDU
Tue, 28 May 2002 15:42:58 -0400


I have been beating my head against this for awhile. Disclaimer: I am 
new to AFS and Kerberos so feel free to let me know if I have missed 
something obvious.

I can build OpenSSH and it works fine when the user who is logging in 
has a local account. When a user with an AFS account tries to log in, 
however it fails with "Permission denied". AFS users can login ok 
from the console.

Running 'sshd -d' on the server shows that the Kerberos 
authentication fails with "Principal unknown" (see debug output 
below). I have also attached my sshd_config file.

Running tcpdump shows that the authentication is generating traffic 
on port 750. It is my understanding that since we are using kaserver 
this should not be happening. I have been told that kaserver uses a 
different port but do not know which one.

The details:
IRIX 6.5.15
ssh 3.2.2.p1
cc = MIPs Pro 7.3 (have tried gcc 3.1 as well)
OpenAFS 1.2.3

I am configuring with:

env CC=cc CFLAGS=-g 
./configure --prefix=/usr/etc/ssh --with-afs=/usr/afsws 
--with-kerberos4=/usr/athena --sysconfdir=/etc/ssh 
--with-pid-dir=/var/run --with-ipv4-default 

Any help would be greatly appreciated. TIA

=====Debug output (user names and IPs have been sanitized)=====

   debug1: userauth-request for user user1 service ssh-connection method none
   debug1: attempt 0 failures 0
   debug3: allowed_user: today 11828 sp_expire -1 sp_lstchg 11808 sp_max -1
   debug2: input_userauth_request: setting up authctxt for user1
   debug2: input_userauth_request: try method none

   Failed none for user1 from port 1076 ssh2
   debug1: userauth-request for user user1 service ssh-connection method
   debug1: attempt 1 failures 1
   debug2: input_userauth_request: try method keyboard-interactive
   debug1: keyboard-interactive devs
   debug1: auth2_challenge: user=user1 devs=
   debug1: kbdint_alloc: devices ''
   debug2: auth2_challenge_start: devices
   Failed keyboard-interactive for dsteiner from port 1076 ssh2
   debug1: userauth-request for user user1 service ssh-connection method
   debug1: attempt 2 failures 2
   debug2: input_userauth_request: try method password
   kerberos-iv/udp unknown service, using default port 750
   debug1: Kerberos v4 password authentication for user1 failed: Principal
     unknown (kerberos)
   debug1: krb4_cleanup_proc called
   Failed password for user1 from port 1076 ssh2


    #       $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

    # This is the sshd server system-wide configuration file.  See sshd(8)
    # for more information.

    # This sshd was compiled with 

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.

    Port 22
    Protocol 2,1
    #ListenAddress ::

    # HostKey for protocol version 1
    HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    SyslogFacility AUTH
    LogLevel INFO

    # Authentication:

    LoginGraceTime 600
    PermitRootLogin no
    StrictModes yes

    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile      .ssh/authorized_keys

    # rhosts authentication should not be used
    RhostsAuthentication no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in 
    RhostsRSAAuthentication yes
    # similar for protocol version 2
    HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    IgnoreUserKnownHosts no

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication yes
    PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    # Kerberos options
    # KerberosAuthentication automatically enabled if keyfile exists
    KerberosAuthentication yes
    KerberosOrLocalPasswd no
    KerberosTicketCleanup yes

    # AFSTokenPassing automatically enabled if k_hasafs() is true
    AFSTokenPassing yes

    # Kerberos TGT Passing only works with the AFS kaserver
    KerberosTgtPassing yes

    # Set this to 'yes' to enable PAM keyboard-interactive authentication
    # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
    PAMAuthenticationViaKbdInt no

    X11Forwarding no
    X11DisplayOffset 10
    X11UseLocalhost yes
    PrintMotd yes
    PrintLastLog yes
    KeepAlive yes
    UseLogin no

    MaxStartups 10
    # no default banner path
    #Banner /some/path
    VerifyReverseMapping no

    # override default of no subsystems
    Subsystem       sftp    /usr/ssh/libexec/sftp-server
David R. Steiner                               david.r.steiner@dartmouth.edu
UNIX System Manager                            Phone:  603.646.3127
Dartmouth College                              Fax:     603.646.1041