For most of this year I had a lot of trouble ssh-ing into campus computers from my mac using kerberos authentication. Sometimes it would work, sometimes it would not, and sometimes I could log in but on the remote side my AFS home directory would not get mounted. Turning on verbose mode (-v) for ssh, I would see strange error messages like this one:
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure (see text)
PROCESS_TGS (negative cache)
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
What was going on?
It turns out, that the OpenSSH version used by my institutions IT departement is a bit outdated (the version string is OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010). Even more outdated is the version supplied with MacOS (for me that is Snow Leopard 10.6.8):
localhost:~ user$/usr/bin/ssh -V
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011Now, to cut a long and debilitating story short, here’s the answer: Use a more current version of OpenSSH.
For example, you might use MacPorts to install a more current version of OpenSSH. In my case this is
localhost:~ user$/opt/local/bin/ssh -V
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012It might also help to remove (or rename) the file ~/.ssh/config, as
it may contain some obsolete settings that can cause problems (for me
that was the case). Now I can log in to my departments IT facilities
remotely based on kerberos authentication without any hassle at all.