Can't login to OpenSSH server using GSSAPI

0 votes
asked Dec 23, 2020 by tomn (120 points)

I am attempting to log onto a Linux server running OpenSSH using the Rebex library. I can connect using another client application, so I know the server is set up correctly. I'm using this client code from a Windows 10 machine:

        var creds = new SshGssApiCredentials(null, null, null);
        creds.SetMechanisms(SshGssApiMechanisms.KerberosV5);
        creds.AllowDelegation = true;
        creds.TargetName = "<Server name>.<Domain Name>";

        Ssh ssh = new Ssh();
        ssh.LogWriter = new Rebex.FileLogWriter(@"c:\temp\log.txt", Rebex.LogLevel.Verbose);
        ssh.Settings.SshParameters.AuthenticationMethods = SshAuthenticationMethod.GssapiWithMic;
        ssh.Connect("<Server Ip Address>", 22);

        ssh.Login(creds);

I'm able to connect, but get an SshException on the Login call:

GSSAPI authentication failed.

The log shows that the SSH_MSG_USERAUTH_61 exchange seemed to work, but it fails on SSH_MSG_USERAUTH_GSSAPI_MIC:

2020-12-23 17:55:38.575 VERBOSE Ssh(1)[9] SSH: Sending packet SSH_MSG_USERAUTH_GSSAPI_MIC (33 bytes).
 0000 |42-00-00-00-1C-04-04-04 FF-FF-FF-FF-FF-00-00-00| B...............
 0010 |00-3F-71-33-CB-48-1C-02 D6-D9-3D-C9-30-53-C6-B5| .?q3.H....=.0S..
 0020 |E0                                             | .
2020-12-23 17:55:38.585 VERBOSE Ssh(1)[11] SSH: Received packet SSH_MSG_USERAUTH_FAILURE (53 bytes).
 0000 |33-00-00-00-2F-70-75-62 6C-69-63-6B-65-79-2C-67| 3.../publickey,g
 0010 |73-73-61-70-69-2D-6B-65 79-65-78-2C-67-73-73-61| ssapi-keyex,gssa
 0020 |70-69-2D-77-69-74-68-2D 6D-69-63-2C-70-61-73-73| pi-with-mic,pass
 0030 |77-6F-72-64-00                                 | word.
2020-12-23 17:55:38.610 ERROR Ssh(1)[9] SSH: Rebex.Net.SshException: GSSAPI authentication failed.
   at Rebex.Net.SshSession.pxhiy(String p0, String p1, SshGssApiCredentials p2)
   at Rebex.Net.SshSession.hywxb(String p0, String p1, SshPrivateKey p2, SshGssApiCredentials p3, Boolean p4)

Am I using the wrong format for the TargetName, am I supposed to set the AccountName? Anything else that I'm missing?

commented Dec 24, 2020 by Lukas Pokorny (117,510 points)
There doesn't seems to be anything wrong with your code, and your configuration is a supported one, so this is somewhat strange.
- What is the client application that works? We might be able to check it to see whether it's doing anything differently. Are you able to connect using PuTTY (with GSSAPI configured to use Microsoft SSPI)?
- Would it be possible to check the server log to determine why it rejected the SSH_MSG_USERAUTH_GSSAPI_MIC packet?
- It might also be useful to try whether setting AllowDelegation=false makes any difference.
- Additionally, please try this without single sign-on by specifying the credentials in the SshGssApiCredentials constructor - again just to determine whether this makes a difference.

Please log in or register to answer this question.

...