Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"

Nogin, Aleksey anogin@hrl.com
Fri Jun 14 21:39:00 GMT 2013

I am experiencing the same error that Corinna Vinschen have reported on cygwin-apps mailing list about a year ago without any obvious resolution(*), and I was wondering whether somebody was able to resolve it since.

I am running Heimdal's kinit (as came with MobaXterm 6.2) under Windows 7 to get a ticket from a Windows AD, and then ssh'ing into RHEL 5 and 6 boxes set up to use pam_krb to authenticate against the same Windows AD.  gssapi-with-mic authentication succeeds, but credential delegation does not, and I see the same "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10" error(**) previously reported. This is an issue in my environment, where Kerberos-secured NFS is used to provide access to home directories.

One thing I did notice is that when I ssh into an RHEL box, afterwards kinit on the client (Cygwin) side shows a ticket for the RHEL host (as expected), yet it shows that the ticket lacks the "forwardable" flag, which would probably explain the failure to delegate credentials. So perhaps this is a problem with the SSH client on the Cygwin end ("ssh -V" reports "OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012"), rather than Heimdal's? The libdefaults section in krb5.conf on Cygwin does contain "forwardable = yes" and in contract to how it happens on Cygwin, the Linux->Linux ssh that does delegate credentials correctly also does obtain a forwardable ticket on the client side.

TIA for any help.


(*) The last message of the thread at http://cygwin.com/ml/cygwin-apps/2012-03/msg00156.html ends with "Oh well, I guess I just give up.  You proved that it works and I'm trying a pretty unlikely combination." I guess I am trying an unlikely combination too :-(

(**) Here is the full output (RHEL 5 version; RHEL 6 is virtually the same, with OpenSSH_5.3 on the other end).
% ssh -v XXXhostXXX
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/mobaxterm/.ssh/config
debug1: /home/mobaxterm/.ssh/config line 24: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to XXXhostXXX [IP.IP.IP.IP] port 22.
debug1: Connection established.
debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1
debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA XX:XX:XX:...
debug1: Host 'XXXhostXXX' is known and matches the RSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:16
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1:  Miscellaneous failure (see text)
unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10

debug1: Delegating credentials
debug1: Delegating credentials
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to XXXhostXXX ([IP.IP.IP.IP]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: No xauth program.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list