Problem: User suddenly can't ssh/sftp to Solaris 10 server anymore.
Symptom: ssh or sftp dies and get " fatal: accept_ctx died" in log file.
....
Mar 24 06:23:12 your-host sshd[19553]: [ID 800047 auth.crit] fatal: accept_ctx died
Mar 24 06:23:25 your-host sshd[19629]: [ID 800047 auth.crit] fatal: accept_ctx died
....
Quick Fix:
Kerberos host file /etc/krb5/krb5.keytab is missing, restore the file back. Problem solved.
Details:
1. Check ssh/sftp -v / debug info and see "RECV : KEXGSS_ERROR"
A bad connection shows the following error: (in bold)
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : GSS SPN : host@your-host.foo.com
[LOCAL] : SEND : KEXGSS_INIT [540 bytes]
[LOCAL] : RECV : KEXGSS_HOSTKEY
> [LOCAL] : RECV : KEXGSS_ERROR
> [LOCAL] : RECV: TCP/IP close
> [LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED
> [LOCAL] : Connected for 0 seconds, 1319 bytes sent, 1100 bytes received
While a good connection should look like this:
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : GSS SPN : host@your-host.foo.com
[LOCAL] : SEND : KEXGSS_INIT [540 bytes]
[LOCAL] : RECV : KEXGSS_HOSTKEY
< [LOCAL] : RECV : KEXGSS_COMPLETE < [LOCAL] : SEND : NEWKEYS < [LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_EXPECT_NEWKEYS < [LOCAL] : RECV : NEWKEYS < [LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
< [LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
< [LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
< [LOCAL] : SENT : USERAUTH_REQUEST [gssapi-keyex]
< [LOCAL] : RECV : USERAUTH_FAILURE, continuations [gssapi-keyex,gssapi-with-mic,p
< ublickey,password,keyboard-interactive]
< [LOCAL] : SENT : USERAUTH_REQUEST [keyboard-interactive]
< [LOCAL] : RECV : SSH_MSG_USERAUTH_INFO_REQUEST[keyboard-interactive]
---
2. To fix: Kerberos host file /etc/krb5/krb5.keytab is missing, restore the file back. Problem solved.
******** Bad connection full msg *********
[LOCAL] : SSH2Core version 6.1.0.383
[LOCAL] : Connecting to your-host.foo.com:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = "SSH-2.0-Sun_SSH_1.1"
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip re
quests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : GSS : [Kerberos] SPN : host@your-host.foo.com
[LOCAL] : GSS : [Kerberos w/ Group Exchange] SPN : host@your-host.foo.com
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g=
=,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes128-cbc,arcfour,3des-cbc
,blowfish-cbc
[LOCAL] : Selected Send Cipher = aes128-cbc
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes128-cbc,arcfour,3des-cbc
,blowfish-cbc
[LOCAL] : Selected Recv Cipher = aes128-cbc
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-
96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-
96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none,zlib
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : GSS SPN : host@your-host.foo.com
[LOCAL] : SEND : KEXGSS_INIT [540 bytes]
[LOCAL] : RECV : KEXGSS_HOSTKEY
******** Bad connection full msg ends *********
About Me
- Shan Jing
- San Francisco Bay Area
- Engineer @Twitter. 8 Time US Poker Tournament Champion. Past: PIMCO, Newport Beach, CA. Deutsche Bank AG, New York. Exodus Communications, Santa Clara, CA. Education: MS,BS Computer Science. Email: mr.shanjing@gmail.com.
Visitor Tracking by Country
