gssapi-with-mic and a Windows AD KDC



Dear OpenSSH types,

I am trying to use a Windows AD KDC to authenticate gssapi-with-mic connections between Linux clients. The problem is I get an error from the ssh server: "Encryption type not permitted" Can anyone tell me what it's objecting to, or what encryption types are permitted?

I'm using sshd: OpenSSH_4.1p1 and client: OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

I have enabled GSSAPIAuthentication on the server and installed /etc/ krb5.keytab with the key:

KVNO Principal
---- ------------------------------------------------------------------------ --
4 host/somehost.cl.cam.ac.uk@xxxxxxxxxxxxxxx (DES cbc mode with RSA-MD5)

On the client I have these credentials:

Default principal: ig206@xxxxxxxxxxxxxxx

Valid starting Expires Service principal
03/13/06 15:55:51 03/14/06 01:55:55 krbtgt/ AD.CL.CAM.AC.UK@xxxxxxxxxxxxxxx
renew until 03/14/06 15:55:51, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
03/13/06 15:56:17 03/14/06 01:55:55 host/ sark.cl.cam.ac.uk@xxxxxxxxxxxxxxx
renew until 03/14/06 15:55:51, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt1696

When I try the connection I get this output from sshd:

debug1: userauth-request for user ig206 service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "ig206"
Failed none for ig206 from 128.232.8.60 port 12372 ssh2
debug1: PAM: setting PAM_RHOST to "fenton.cl.cam.ac.uk"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user ig206 service ssh-connection method gssapi
h-mic
debug1: attempt 1 failures 1
Postponed gssapi-with-mic for ig206 from 128.232.8.60 port 12372 ssh2
debug1: Miscellaneous failure
Encryption type not permitted

debug1: Got no client credentials
Failed gssapi-with-mic for ig206 from 128.232.8.60 port 12372 ssh2
debug1: userauth-request for user ig206 service ssh-connection method gssapi
h-mic
debug1: attempt 2 failures 2
Failed gssapi-with-mic for ig206 from 128.232.8.60 port 12372 ssh2



Relevant Pages

  • Re: Problem with kerberos and ssh.
    ... use a buggy version of a gssapi mechglue. ... The mechglue version that has comes with the MIT Kerberos for many ... The client does seem to be able to get a host ticket for the remote ... debug1: userauth-request for user vatester service ssh-connection method ...
    (comp.protocols.kerberos)
  • Re: Going across a firewall
    ... client, for some alternate port number XXXX. ... debug1: Client protocol version 2.0; ... userauth-request for user testuser service ssh-connection method none ... debug1: attempt 0 failures 0 ...
    (comp.protocols.kerberos)
  • Cant log on to Windows OpenSSH
    ... debug1: Server will not fork when running in debugging mode. ... Client protocol version 2.0; ... debug1: attempt 0 failures 0 ... Then, for fun, I tried restarting the server after killing the process ...
    (comp.security.ssh)
  • Re: Problem with kerberos and ssh.
    ... I followed instructions I found on the web and was able to configure the Linux boxes to be Kerberos clients - I am able to log into both of them and use kerberos for authentication. ... Right now I am at a bit of a loss - I don't know what the client credentials are that the thing is talking about, nor do I know what type of invalid name might have been supplied. ... # GSSAPI options ... debug1: userauth-request for user vatester service ssh-connection method gssapi-with-mic ...
    (comp.protocols.kerberos)
  • UPDATE2: SSH problem to Solaris 10 : Resource temporarily unavailable]
    ... I truss-ed the client ssh call and managed to identify the exact ... debug1: Rhosts Authentication disabled, originating port will not be trusted. ... debug1: We proposed langtags, ctos: en-US ...
    (SunManagers)