[Freeipa-devel] sshd, gssapi postinstall cleanup

[John Dennis]

Simo Sorce wrote:
>> So, any ideas as to why sshd on that box would hang as it attempted 
>> gssapi auth and how might a previous IPA install be responsible for that?
> 
> I bet you have a /etc/krb5.keytab file left over from latest IPA
> installations.

Good thought, I don't think this was the case but certainly worth a check.

I do think I figured out what the culprit was as well as a temporary 
workaround that will at least allow one to ssh in.

I think the problem was partly a result of my own limited thinking :-) I 
had presumed the problem must be on the remote server I was trying to 
connect to. This erroneous conclusion was further supported by my 
observation if GSSAPIAuthentication was disabled in the server's 
sshd.conf file the problem went away.

However, the problem was on the ssh client machine which also had a bad 
/etc/krb5.conf file also left over from an IPA test installation. I 
believe what was actually happening was that when ssh<-->sshd tried to 
negotiate GSSAPI Authentication ssh on the client attempted to get a 
ticket for me which failed because it could not talk to the KDC 
configured on the client. The sshd server had no role in this other than 
agreeing it would accept GSSAPI Authentication. When I disabled GSSAPI 
Authentication on the sshd server the client did not attempt to get a 
ticket for me and everything worked. It was a case of mistaken identity 
(pun intended :-)

BTW, I discovered you can temporally get around problems like this if on 
the ssh command line you an an option parameter like this:

% ssh -o GSSAPIAuthentication=no somehost

-- 
John Dennis <jdennis at redhat.com>