How to debug ssh authentication failures with gssapi-with-mic

Question

when i ssh to DOMAIN\user@localhosts-name authentication works fine through gssapi-with-mic:

debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 112 bytes for a total of 1255
debug1: Delegating credentials
debug3: Wrote 2816 bytes for a total of 4071
debug1: Delegating credentials
debug3: Wrote 80 bytes for a total of 4151
debug1: Authentication succeeded (gssapi-with-mic).

when I connect to a different machine It just seems to stop half way through the gssapi-with-mic authentication:

debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 112 bytes for a total of 1255
debug1: Delegating credentials
debug3: Wrote 2816 bytes for a total of 4071  <----- ????
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive

How should I go about finding out what happened differently the second time. How can I find out if/why the auth was rejected by kerberos?

Answer 1

The technique I use in this situation is to start up a separate sshd service on a different port on the target host, and then turn up the debug level there:

# /usr/sbin/sshd -d -d -d -p 2233

Then, you can connect from the source to the target at the new port:

$ ssh user@hostname -p 2233

The server's debug log often has more pertinent information than the client's. Also note, the sshd service running in debug mode will die after each connection, so you'll have to restart it each time you connect.