5

I just upgraded my Mac OS to 10.7 Lion. It has worked well before. But, only kinit working normally now, I can't ssh to my server.

After reinstalling the "Mac OS X Kerberos Extras", it didn't get better.

My command:

ssh root@10.3.18.211 -v

......

debug1: Authentications that can continue: gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1:  Miscellaneous failure (see text)
UNKNOWN_SERVER while looking up 'host/10.3.18.211@3.18.211' (cached result, timeout in 1200 sec)

debug1:  An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug1: Authentications that can continue: gssapi-with-mic,password
debug1:  An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug1: Next authentication method: password
root@10.3.18.211's password:
slhck
  • 235,242

2 Answers2

7

Do you have the following two lines in your ~/.ssh/config file, or in your /etc/ssh_config?:

GSSAPIAuthentication yes
GSSAPITrustDNS yes

The first is required to enable GSSAPI (Kerberos) authentication, the second one is required to get ssh to canonicalize the hostname via DNS and use the canonical name to obtain a host service ticket. Without the second one, ssh will use the exact hostname or IP address entered on the command line to try and obtain a host service ticket, and in this case it fails:

UNKNOWN_SERVER while looking up 'host/10.3.18.211@3.18.211'

The actual name of the principal is normally 'host/hostname.domain@REALM' rather than an IP address. Of course, you need a correct reverse DNS setup for this to work.

It also seems like OS X can't detect the correct realm name to use and is trying to use an IP address instead (the '@3.18.211' part). Do you have correct DNS TXT and SRV records set up for your realm and KDC? If not you'll need to enter the default realm and KDC address manually in /etc/krb5.conf.

slhck
  • 235,242
sigmaris
  • 71
0

I had these errors connecting to Centos, but not to fedora. Solved by changing my User to a full userPrincipalName instead of my short name on OS X.

~/.ssh/config:

Host svn saturnus.lan
User user@EXAMPLE.COM

SSH unknown mech-code errors:

debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1:  An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1:  An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug2: we did not send a packet, disable method
bbaassssiiee
  • 1,525