See summary. The connection will close down without apparent reason or information (even with DEBUG3). "UsePrivilegeSeparation sandbox" has been added to sshd_config since openssh-6.0. Setting UsePrivilegeSeparation to yes (sshd default) resolves the issue. sandbox works fine with 5.9 though. Reproducible: Always Server side log excerpt: ... Sep 4 22:29:05 q sshd[21394]: debug1: userauth-request for user <..> service ssh-connection method gssapi-with-mic [preauth] Sep 4 22:29:05 q sshd[21394]: debug1: attempt 1 failures 0 [preauth] Sep 4 22:29:05 q sshd[21394]: debug2: input_userauth_request: try method gssapi-with-mic [preauth] Sep 4 22:29:05 q sshd[21394]: debug1: monitor_read_log: child log fd closed Sep 4 22:29:05 q sshd[21394]: debug3: mm_request_receive entering Sep 4 22:29:05 q sshd[21394]: debug1: do_cleanup Sep 4 22:29:05 q sshd[21394]: debug1: PAM: cleanup Sep 4 22:29:05 q sshd[21394]: debug3: PAM: sshpam_thread_cleanup entering Sep 4 22:29:05 q sshd[21394]: debug1: Killing privsep child 21397 Client side output excerpt: ... debug2: we sent a gssapi-with-mic packet, wait for reply Connection closed by 192.168.0.203
I can confirm this. I came across this issue when setting up a central user management for windows and linux workstations with samba4. It took me nearly a week and some mails with Sumit Bose on samba-technical. After nothing helped I decided to gdb sshd and turned off privilege separation and suddenly everything worked. I wrote a bug report to openssh to ask if this can be fixed or at least bring sshd to give some useful information when in debug mode. regards Georg Hopp
Hi again, FYI On the OpenSSH bugzilla a patch is provided that does the gssapi initialization before privsep is in place in this ticket. https://bugzilla.mindrot.org/show_bug.cgi?id=2107 I can confirm that this patch fixes the issue for me now without any sideeffects. I will add this patch to all my machines now for a long time test. I applied it against 6.4p1. Best regards Georg Hopp
Created attachment 371388 [details, diff] patch to load oids before privsep This one is a copy of the patch that is now commited to openssh 6.6.
Created attachment 371390 [details] ebuild that applies the patch
Hi, the patch is now committed for openssh 6.6. I think it might be beneficial to add it to the current stable ebuild. Which is 6.4p1 for me but I failed to make a recent update, sorry. Anyway, it applied nice against 6.4. I attached the patch and my modified ebuild. best regards Georg
openssh-6.6 is stable in Gentoo now, so it sounds like we're all set. thanks!