当我通过 ssh 连接到 DOMAIN\user@localhosts-name 时,通过 gssapi-with-mic 进行身份验证可以正常工作:
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 112 bytes for a total of 1255
debug1: Delegating credentials
debug3: Wrote 2816 bytes for a total of 4071
debug1: Delegating credentials
debug3: Wrote 80 bytes for a total of 4151
debug1: Authentication succeeded (gssapi-with-mic).
当我连接到另一台机器时,它似乎在 gssapi-with-mic 身份验证过程中停止了:
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 112 bytes for a total of 1255
debug1: Delegating credentials
debug3: Wrote 2816 bytes for a total of 4071 <----- ????
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
我该如何找出第二次发生的不同之处?我如何才能找出 kerberos 是否拒绝了身份验证/拒绝了身份验证的原因?
答案1
在这种情况下,我使用的技术是在目标主机的不同端口上启动单独的 sshd 服务,然后在那里调高调试级别:
# /usr/sbin/sshd -d -d -d -p 2233
然后,您可以通过新端口从源连接到目标:
$ ssh user@hostname -p 2233
服务器的调试日志通常比客户端的日志包含更多相关信息。另请注意,在调试模式下运行的 sshd 服务将在每次连接后停止,因此每次连接时都必须重新启动它。