Comment 2 for bug 1938144

Revision history for this message
Niklas Rother (nrother) wrote :

Hello Athos,

thanks for looking into this!

This is reproducible without Ansible, that was just use-case that brought up the issue. I've further narrowed it down to the following setup:

Server:
/usr/sbin/sshd -d -p 2222 -f /dev/null -o GSSAPIKeyExchange=yes -o GSSAPIAuthentication=yes

Client:
ssh -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex root@compute-test -v -p 2222 -o GSSAPIKeyExchange=yes -F /dev/null

I think this should make it independent from my local config, right? Obviously there is also Kerberos involved, which I would call configured pretty standard in our environment, but I can have a look at that config as well, if this is desired.

The problem will not arise when:
- The client has no valid Kerberos-Key (unset KRB5CCNAME)
- If any of the the GSSAPI* options is missing on client or server
- If the order of "gssapi-with-mic,gssapi-keyex" is switched (!)