SSH – Unspecified GSS failure

Recently came across a problem with one system authentication to another via ssh.

I added the public ssh key to ~/.ssh/authorized_keys entry. Changed ownership to the proper user and also [cci]chmod 600 ~/.ssh/authorized_keys[/cci]. Still no dice.

Using [cci]ssh -vvvv[/cci] the following error returned on pubkey authentication:

[cc]debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file ‘/tmp/krb5cc_0’ not found[/cc]

Well, that is pretty non-specific.

Since permission problems are the number one issue I have with getting ssh authentication working, and how I thought I set permissions right, my mind then wondered if SELinux permissions were causing a problem. Most providers disable SELinux right off the bat because of the ‘problems’ it causes, but some don’t. It turned out, this one has [cci]SELINUX=enforcing[/cci]. So, let’s fix the SELinux permissions:

[cc]/sbin/restorecon -r /root/.ssh[/cc]

This sets the context as follows:

[cc]# ls -Z authorized_keys
-rw——-. root root unconfined_u:object_r:ssh_home_t:s0 authorized_keys[/cc]

SSH should now authenticate.

Using rsync on an Alternate SSH Port or with OpenSSH Keys

Best practices state that you should run ssh on an non-standard port. Unfortunately some programs use port 22 by default and it isn’t obvious what the switch is to change this port.

One of these programs is the eminently useful rsync. It states how to do this in the man file, but it is hidden and non-obvious. You simply add the option via the -e command to pass ssh options. -e is the shell rsync uses to connect to a remote host.

Using rsync on an alternate ssh port

[cc]rsync -avz -e “ssh -p $port” username@ip:/path/to/files/ /local/files/[/cc]

Using rsync with an openssh key

[cc]rsync -avz -e “ssh -i /path/to/private/key” username@ip:/path/to/files/ /local/files/[/cc]

Or with both an alternate port and openssh key:

[cc]rsync -avz -e “ssh -i /path/to/private/key -p $port” username@ip:/path/to/files/ /local/files/[/cc]

This can be used in a bash script if you set the $port variable or directly on the command line by using the set port instead of $port.

Here are some other useful pages regarding using rsync. If you don’t use rsync for remote file transfer – I highly recommend it. The transfer speed is much faster than scp over ssh.