[MacPorts] #55707: problem with kerberized ssh

Fri Jan 19 14:28:34 UTC 2018

#55707: problem with kerberized ssh
------------------------+-----------------
  Reporter:  clhedrick  |      Owner:
      Type:  defect     |     Status:  new
  Priority:  Normal     |  Milestone:
 Component:  ports      |    Version:
Resolution:             |   Keywords:
      Port:  openssh    |
------------------------+-----------------
Description changed by mf2k:

Old description:

> This problem occurs only in a very specific situation. It results in a
> failure if you try to login using ssh with a kerberos ticket. The
> situation:
>
> krb5.conf has noaddresses = false, and doesn't list a kdc. In this
> situation Kerberos will discover the KDC from DNS. The discovery works
> fine for kinit. But if you try ssh you get an error. This error does not
> occur with noaddresses true, or if the kdc is specified. This problem
> does not occur with the same versions of kerberos and openssh on Linux.
>
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
> ,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Incorrect net address
>
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
> ,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:

New description:

 This problem occurs only in a very specific situation. It results in a
 failure if you try to login using ssh with a kerberos ticket. The
 situation:

 krb5.conf has noaddresses = false, and doesn't list a kdc. In this
 situation Kerberos will discover the KDC from DNS. The discovery works
 fine for kinit. But if you try ssh you get an error. This error does not
 occur with noaddresses true, or if the kdc is specified. This problem does
 not occur with the same versions of kerberos and openssh on Linux.
 {{{
 debug2: service_accept: ssh-userauth
 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
 ,keyboard-interactive
 debug1: Next authentication method: gssapi-with-mic
 debug1: Unspecified GSS failure.  Minor code may provide more information
 Incorrect net address

 debug2: we sent a gssapi-with-mic packet, wait for reply
 debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
 ,keyboard-interactive
 debug2: we did not send a packet, disable method
 debug1: Next authentication method: keyboard-interactive
 debug2: userauth_kbdint
 debug2: we sent a keyboard-interactive packet, wait for reply
 debug2: input_userauth_info_req
 debug2: input_userauth_info_req: num_prompts 1
 Password:
 }}}

--

--
Ticket URL: <https://trac.macports.org/ticket/55707#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS