[lug] ssh hang mystery

D. Stimits stimits at comcast.net
Sat Dec 23 19:08:02 MST 2006 

I had configured a CentOS 4.4 server with a static non-routable IP 
address, and worked on it via ssh (password login) for several weeks. I 
then changed the address to a routable public IP and moved it to a 
public network. Firewalling has been configured to allow all ports of 
tcp and udp from my one IP address outside, and the outside world is 
able to ping the interface or bring up the web server. From inside a 
local server login, I'm able to ssh to my outside machine as well.

Well...ssh now hangs when trying to reach the server from the outside. I 
deleted the keys in the client known_hsots file, and it asks if I want 
to allow the key, I say yes, it all looks good. Then it just hangs and 
never finishes logging in. So ssh connects, negotiates keys, and then 
just sits there. ssh -vvv shows:

debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password
debug3: start over, passed a different list 
publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply

That last line is it...it hangs forever, then drops after a long period. 
I don't know what gssapi is, although it seems to be a protocol that's 
useful for ssh. I've never changed this setting, the server sshd_config 
has this though:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

On the server side, with the daemon set to verbose logging, all I see is 
this:
sshd[12092]: Failed none for USERNAME from xxx.xxx.xxx.xxx port 39431 ssh2
(I substituted the IP address and username)

It seems that by changing the IP address that something else has become 
confused (in addition to myself), or in need of other configuration 
changes. I tried a number of changes, none helped. In order to work on 
it, I have to drive out to the facility (easier said than done in the 
snow, I already got stuck once trying), so I wanted to have a good idea 
of what to change before I go there. Can anyone give any suggestions on 
this? Is gssapi messing it up? If so, why didn't it mess it up before?

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list