Package: ssh-krb5
Version: 3.8.1p1-8
Severity: normal
I connect to one machine using kerberos and another ('non-krb-host')
using public-key authentication.
If the kerberos tickets have been destroyed (kdestroy -45), then 'ssh
non-krb-host true' takes about 1.5 seconds. If I get new kerberos
tickets ('kinit -45'), then 'ssh non-krb-host true' takes about 15
seconds. Below are ssh -v logs with timing information (seconds of
wall-clock time relative to when the output started):
Here's the ~/.ssh/config:
Host krb-host
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Host *
ForwardX11 yes
TCPKeepAlive no
With no kerberos tickets (i.e. after kdestroy -45):
0.00 OpenSSH_3.8.1p1 Debian-krb5 3.8.1p1-8, OpenSSL 0.9.7e 25 Oct 2004
0.01 debug1: Reading configuration data /home/sanjoy/.ssh/config
0.02 debug1: Applying options for *
0.03 debug1: Reading configuration data /etc/ssh/ssh_config
0.06 debug1: Connecting to non-krb-host port 22.
0.15 debug1: Connection established.
0.15 debug1: identity file /home/sanjoy/.ssh/identity type -1
0.15 debug1: identity file /home/sanjoy/.ssh/id_rsa type 1
0.15 debug1: identity file /home/sanjoy/.ssh/id_dsa type 2
0.25 debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.8.1p1 Debian-8.sarge.4
0.25 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
0.25 debug1: Enabling compatibility mode for protocol 2.0
0.25 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5
3.8.1p1-8
0.27 debug1: Miscellaneous failure
0.27 No credentials cache found
0.27
0.29 debug1: Miscellaneous failure
0.29 No credentials cache found
0.29
0.29 debug1: SSH2_MSG_KEXINIT sent
0.35 debug1: SSH2_MSG_KEXINIT received
0.35 debug1: kex: server->client aes128-cbc hmac-md5 none
0.35 debug1: kex: client->server aes128-cbc hmac-md5 none
0.35 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
0.35 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
0.58 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
0.58 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
0.69 debug1: Host non-krb-host is known and matches the RSA host key.
0.69 debug1: Found key in /home/sanjoy/.ssh/known_hosts:32
0.69 debug1: ssh_rsa_verify: signature correct
0.69 debug1: SSH2_MSG_NEWKEYS sent
0.69 debug1: expecting SSH2_MSG_NEWKEYS
0.69 debug1: SSH2_MSG_NEWKEYS received
0.69 debug1: SSH2_MSG_SERVICE_REQUEST sent
0.93 debug1: SSH2_MSG_SERVICE_ACCEPT received
1.04 debug1: Authentications that can continue:
publickey,password,keyboard-interactive
1.04 debug1: Next authentication method: publickey
1.04 debug1: Trying private key: /home/sanjoy/.ssh/identity
1.04 debug1: Offering public key: /home/sanjoy/.ssh/id_rsa
1.13 debug1: Authentications that can continue:
publickey,password,keyboard-interactive
1.13 debug1: Offering public key: /home/sanjoy/.ssh/id_dsa
1.24 debug1: Server accepts key: pkalg ssh-dss blen 433
1.24 debug1: read PEM private key done: type DSA
1.34 debug1: Authentication succeeded (publickey).
1.34 debug1: channel 0: new [client-session]
1.34 debug1: Entering interactive session.
1.47 debug1: Requesting X11 forwarding with authentication spoofing.
1.47 debug1: Sending command: true
1.62 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
1.62 debug1: channel 0: free: client-session, nchannels 1
1.62 debug1: fd 1 clearing O_NONBLOCK
1.62 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
1.62 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
1.62 debug1: Exit status 0
With kerberos tickets (similar delay if they are expired, although the
message changes from 'Server not found' to 'ticket expired') -- note
the delay, twice, of about 7 seconds:
0.00 OpenSSH_3.8.1p1 Debian-krb5 3.8.1p1-8, OpenSSL 0.9.7e 25 Oct 2004
0.01 debug1: Reading configuration data /home/sanjoy/.ssh/config
0.02 debug1: Applying options for *
0.04 debug1: Reading configuration data /etc/ssh/ssh_config
0.05 debug1: Connecting to non-krb-host port 22.
0.11 debug1: Connection established.
0.12 debug1: identity file /home/sanjoy/.ssh/identity type -1
0.12 debug1: identity file /home/sanjoy/.ssh/id_rsa type 1
0.12 debug1: identity file /home/sanjoy/.ssh/id_dsa type 2
0.20 debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.8.1p1 Debian-8.sarge.4
0.21 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
0.21 debug1: Enabling compatibility mode for protocol 2.0
0.21 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5
3.8.1p1-8
7.64 debug1: Miscellaneous failure
7.67 Server not found in Kerberos database
7.68
15.59 debug1: Miscellaneous failure
15.60 Server not found in Kerberos database
15.60
15.60 debug1: SSH2_MSG_KEXINIT sent
15.60 debug1: SSH2_MSG_KEXINIT received
15.60 debug1: kex: server->client aes128-cbc hmac-md5 none
15.60 debug1: kex: client->server aes128-cbc hmac-md5 none
15.60 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
15.60 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
15.83 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
15.83 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
15.94 debug1: Host non-krb-host is known and matches the RSA host key.
15.94 debug1: Found key in /home/sanjoy/.ssh/known_hosts:32
15.95 debug1: ssh_rsa_verify: signature correct
15.95 debug1: SSH2_MSG_NEWKEYS sent
15.95 debug1: expecting SSH2_MSG_NEWKEYS
15.95 debug1: SSH2_MSG_NEWKEYS received
15.95 debug1: SSH2_MSG_SERVICE_REQUEST sent
16.17 debug1: SSH2_MSG_SERVICE_ACCEPT received
16.28 debug1: Authentications that can continue:
publickey,password,keyboard-interactive
16.28 debug1: Next authentication method: publickey
16.28 debug1: Trying private key: /home/sanjoy/.ssh/identity
16.28 debug1: Offering public key: /home/sanjoy/.ssh/id_rsa
16.38 debug1: Authentications that can continue:
publickey,password,keyboard-interactive
16.38 debug1: Offering public key: /home/sanjoy/.ssh/id_dsa
16.47 debug1: Server accepts key: pkalg ssh-dss blen 433
16.47 debug1: read PEM private key done: type DSA
16.58 debug1: Authentication succeeded (publickey).
16.58 debug1: channel 0: new [client-session]
16.58 debug1: Entering interactive session.
16.70 debug1: Requesting X11 forwarding with authentication spoofing.
16.70 debug1: Sending command: true
16.85 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
16.85 debug1: channel 0: free: client-session, nchannels 1
16.85 debug1: fd 1 clearing O_NONBLOCK
16.85 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
16.85 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
16.85 debug1: Exit status 0
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13-local01
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ssh-krb5 depends on:
ii adduser 3.66 Add and remove users and groups
ii debconf 1.4.52 Debian configuration management sy
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2sarge1 common error description library
ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.3-3 compression library - runtime
ssh-krb5 recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/privsep_ask: true
* ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
