Sorry, in answer to your actual question:
# root@moon-server
/usr/local/sbin/sshd -d -d -d -p 22000
# user@moon-client:
ssh -l moonshot -p 22000 -v -v -v moon-server.vm
On 05/06/13 15:17, Stuart Rankin wrote:
> Hi Stefan,
>
> I think I'm getting past that check, I'd already noticed that not giving the right thing here causes
> an "unexpected acceptor" error earlier. However I tried your suggestion, and also tried changing the
> hostname of the server, but the authorisation part still seems to fail.
>
> These are virtual machines without any entries in the DNS but instead have the same flat /etc/hosts
> file:
>
> ...
> 192.168.122.32 moon moon.vm
> 192.168.122.181 moon-server moon-server.vm
> 192.168.122.92 moon-client moon-client.vm
>
> where moon.vm is the IdP (running the live DVD). The hostname on the client and server is set to be
> moon-client.vm and moon-server.vm respectively.
>
> Am I correct in thinking that the openssh built from the openssh subdirectory of the git repository
> should work correctly, at least for CentOS6?
>
> Many thanks -
>
> Best regards
>
> Stuart
>
>
> On 05/06/13 14:50, [log in to unmask] wrote:
>> Hi Stuart,
>>
>> How do you ssh (i.e. what's the command-line)? If you don't use the FQDN, you may want to switch
>> GSSAPIStrictAcceptorCheck to off in /etc/ssh/sshd_config.
>>
>> Regards
>>
>> Stefan
>>
>>
>> -----Original Message-----
>> From: Moonshot community list [mailto:[log in to unmask]] On Behalf Of Stuart Rankin
>> Sent: 05 June 2013 13:12
>> To: [log in to unmask]
>> Subject: RHEL6 ssh question
>>
>> Hi,
>>
>> I have a hopefully simple problem - I've had success getting moonshot to work using gss-client and
>> gss-server between two different Scientific Linux 6 hosts, using a third system based on the live
>> DVD as the IdP, but at the moment ssh between the same pair of boxes is not working (possibly
>> because I simply don't have the correctly patched version of openssh, or have failed to do
>> something elementary).
>>
>> By looking at the debug output from freeradius I can see that authentication is succeeding and the
>> SAML headers are going out, but it's at this point that it apparently fails. I'm currently using a
>> sshd built from the git repository, and the relevant part of the debug output looks like:
>>
>> debug1: userauth-request for user moonshot service ssh-connection method gssapi-with-mic
>> debug1: attempt 1 failures 0
>> debug2: input_userauth_request: try method gssapi-with-mic Postponed gssapi-with-mic for invalid
>> user moonshot from 192.168.122.92 port 60699 ssh2
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: No suitable client data
>> Failed gssapi-with-mic for invalid user moonshot from 192.168.122.92 port 60699 ssh2
>>
>> On the other hand the same output when ssh'ing into the live DVD system (which _does_ work from the
>> SL6 client) ends with:
>>
>> ...
>> debug1: Got no client credentials
>> debug1: Got no client credentials
>> debug1: userok succeded for moonshot
>> debug1: do_pam_account: called
>> debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) Accepted gssapi-with-mic for moonshot from
>> 192.168.122.92 port 53376 ssh2
>>
>> I've already made sure that /etc/shibboleth/attribute-map.xml on the SSH server contains
>>
>> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="local-login-user"/>
>>
>>
>> Would be grateful for any suggestions!
>>
>> Best regards,
>>
>> Stuart
>>
>>
>> --
>> Dr. Stuart Rankin
>>
>> Senior System Administrator
>> High Performance Computing Service
>> University of Cambridge
>> Email: [log in to unmask]
>> Tel: (+)44 1223 763517
>>
>
--
Dr. Stuart Rankin
Senior System Administrator
High Performance Computing Service
University of Cambridge
Email: [log in to unmask]
Tel: (+)44 1223 763517
|