Check the host/* principal on the system to which you were authenticating.
I bet that the REQUIRES_PRE_AUTH flag was set for it, which means that
only tickets that are pre-authenticated can authenticate to that service
principal.

Indeed, that was it! Russ saves the day again.

Curious: I assume that the failure mode here is some variation on the
sshd machine asking the KDC for a delegation and the KDC refusing. Does
the refusal include enough information to produce an error message
(either in the sshd log or elsewhere) mentioning this as the reason for
the failure?

In general I find that sshd really does a very poor job explaining the
reason why things went wrong when it comes to Kerberos/GSSAPI. I've got
some free cycles this summer that I can put towards fixing that if it's
something that can be fixed.

- a

The behavior caused by setting REQUIRES_PRE_AUTH on principals to which
one authenticates rather than principals one authenticates as always
strikes me as surprising, unexpected, and unintuitive.
I believe it fails even if you're not doing delegation. I believe the KDC
refuses to issue you a service ticket for a principal with
REQUIRES_PRE_AUTH set if your TGT is not tagged as preauthenticated. But
I don't remember the details of the research that I did when I ran into
this. (We just cleared that flag from principals like host/* principals
and moved on with our lives; given that they're randomly generated keys,
hopefully brute force attacks are difficult anyway.)
ssh (well, OpenSSH) never reports useful error messages by default for
anything related to GSSAPI.
I haven't looked at the code personally, but what I recall from what other
people have said is that the code is structured so that doing proper error
reporting is fairly difficult. It can also quite hard to get OpenSSH
upstream to take GSSAPI-related patches, depending on how those patches
strike them.

There's a few factors at play here.

Firstly, the client only reports GSSAPI errors if it's run with the -v flag. This was a requirement when the code was originally pulled into OpenSSH, as they wanted to avoid alarming users who knew nothing about Kerberos/GSSAPI with the opaque error messages produced by GSSAPI at the time. Fixing this would be fairly straightforwards - getting those fixes into OpenSSH, less so.

Secondly, GSSAPI libraries have historically produced pretty poor error messages "See etext for details" being a great example of this. The only way to solve this is to improve the information that comes out of your library. I think MIT have done some recent work on this.

Thirdly, there's no communication of server errors back to the client. This is partly deliberate, as telling the client why an operation failed can, in some environments, be an information leak. My original GSSAPI patch had support for sending this information, based on configuration settings. When I was trying to get the GSSAPI code into OpenSSH, this was one of the things that got dropped in order to reduce code complexity.
Unless you have the patience and perseverance of Sisyphus, I wouldn't even consider trying to get GSSAPI code into OpenSSH. Success in getting even small, platform compatibility based changes into the upstream distribution has been geologically slow at best.

Cheers,

Simon.

We are open to suggestions about how to remedy this behavior. I think
it stems from the KDB flag REQUIRES_PRE_AUTH being overloaded with two
mostly unrelated meanings: (1) require preauthentication when the
specified client obtains initial tickets; (2) require that any
client's service ticket have the "preauthenticated" flag set when
presented to a specified service.

How many people have a security policy that requires behavior (2)
above? If so, is it necessary to conflate that behavior with behavior
(1)?
That matches my recollection, but I haven't examined the relevant code
recently.

I can see how it might be difficult to get a message back to the client,
but it can't be all that hard to syslog it at the server... I don't find
that too discouraging.
This, on the other hand, is very discouraging.

Thanks for the heads-up.

- a