Delegating GSS credentials fails

From: Eric Knauel (knauel_at_informatik.uni-tuebingen.de)
Date: 04/29/04

  • Next message: Greene, Chris: "authentication failure log message"
    To: secureshell@securityfocus.com
    Date: Thu, 29 Apr 2004 16:33:29 +0200
    
    

    Hi,

    I'm trying to set up OpenSSH 3.8.1p1 for use with GSS and Kerberos 5
    --- and it works almost fine. There are several FreeBSD 5.2 machines
    here that run a sshd with GSSAPIAuthentication turned on. Together
    with GSSAPIAuthentication and GSSAPIDelegateCredentials turned on in
    ssh_config, I can forward my Kerberos 5 ticket and logon to every
    machine without having to provide a password. All the FreeBSD
    machines use Heimdal.

    However, obtaining a ticket on a FreeBSD machine and forwarding it to
    an OS X machine (v10.3.2) with the same ssh/sshd setup fails. The
    sshd on the OS X machine justs sits there forever (in select()). On
    the other hand, I can forward the tickets obtained on an OS X machine
    to a FreeBSD machine without problems.

    Here are some debug logs. First, a FreeBSD client (duff) that is
    talking to the OS X machine. Which is exactly the case, where
    forwarding fails:

    ,----
    | [knauel@duff ~] klist
    | Credentials cache: FILE:/tmp/krb5cc_Kd1UdA
    | Principal: knauel@INFORMATIK.UNI-TUEBINGEN.DE
    |
    | Issued Expires Principal
    | Apr 29 15:48:59 Apr 30 16:48:59 krbtgt/INFORMATIK.UNI-TUEBINGEN.DE@INFORMATIK.UNI-TUEBINGEN.DE
    | Apr 29 15:48:59 Apr 30 16:48:59 afs@INFORMATIK.UNI-TUEBINGEN.DE
    | [knauel@duff ~] ssh -v -F ~/.ssh/config-gss midgard
    | OpenSSH_3.8.1p1, OpenSSL 0.9.7c 30 Sep 2003
    | debug1: Reading configuration data /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/config-gss
    | debug1: Connecting to midgard [134.2.12.82] port 22.
    | debug1: Connection established.
    | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity type -1
    | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa type -1
    | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa type 2
    | debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
    | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
    | debug1: Enabling compatibility mode for protocol 2.0
    | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
    | debug1: SSH2_MSG_KEXINIT sent
    | debug1: SSH2_MSG_KEXINIT received
    | debug1: kex: server->client aes128-cbc hmac-md5 none
    | debug1: kex: client->server aes128-cbc hmac-md5 none
    | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    | debug1: Host 'midgard' is known and matches the RSA host key.
    | debug1: Found key in /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191
    | debug1: ssh_rsa_verify: signature correct
    | debug1: SSH2_MSG_NEWKEYS sent
    | debug1: expecting SSH2_MSG_NEWKEYS
    | debug1: SSH2_MSG_NEWKEYS received
    | debug1: SSH2_MSG_SERVICE_REQUEST sent
    | debug1: SSH2_MSG_SERVICE_ACCEPT received
    | debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
    | debug1: Next authentication method: gssapi-with-mic
    | debug1: Delegating credentials
    | [ Ends here, hangs forever ]
    `----

    The OS X machine on the other side says:

    ,----
    | %/usr/openssh/sbin/sshd -d -d
    | debug2: read_server_config: filename /etc/openssh/sshd_config
    | debug1: sshd version OpenSSH_3.8.1p1
    | debug1: read PEM private key done: type RSA
    | debug1: private host key: #0 type 1 RSA
    | debug1: read PEM private key done: type DSA
    | debug1: private host key: #1 type 2 DSA
    | debug1: Bind to port 22 on ::.
    | debug1: Bind to port 22 on 0.0.0.0.
    | Server listening on 0.0.0.0 port 22.
    | debug1: Server will not fork when running in debugging mode.
    | Connection from 134.2.12.76 port 49992
    | debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
    | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
    | debug1: Enabling compatibility mode for protocol 2.0
    | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
    | debug2: Network child is on pid 15624
    | debug1: permanently_set_uid: 75/75
    | debug1: list_hostkey_types: ssh-rsa,ssh-dss
    | debug1: SSH2_MSG_KEXINIT sent
    | debug1: SSH2_MSG_KEXINIT received
    | debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
    | up1-sha1
    | debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
    | aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    | debug2: kex_parse_kexinit: none,zlib
    | debug2: kex_parse_kexinit: none,zlib
    | debug2: kex_parse_kexinit:
    | debug2: kex_parse_kexinit:
    | debug2: kex_parse_kexinit: first_kex_follows 0
    | debug2: kex_parse_kexinit: reserved 0
    | debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    | debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    | debug2: kex_parse_kexinit: none,zlib
    | debug2: kex_parse_kexinit: none,zlib
    | debug2: kex_parse_kexinit:
    | debug2: kex_parse_kexinit:
    | debug2: kex_parse_kexinit: first_kex_follows 0
    | debug2: kex_parse_kexinit: reserved 0
    | debug2: mac_init: found hmac-md5
    | debug1: kex: client->server aes128-cbc hmac-md5 none
    | debug2: mac_init: found hmac-md5
    | debug1: kex: server->client aes128-cbc hmac-md5 none
    | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
    | debug2: monitor_read: 0 used once, disabling now
    | debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
    | debug2: dh_gen_key: priv key bits set: 122/256
    | debug2: bits set: 512/1024
    | debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
    | debug2: bits set: 517/1024
    | debug2: monitor_read: 4 used once, disabling now
    | debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
    | debug2: kex_derive_keys
    | debug2: set_newkeys: mode 1
    | debug1: SSH2_MSG_NEWKEYS sent
    | debug1: expecting SSH2_MSG_NEWKEYS
    | debug2: set_newkeys: mode 0
    | debug1: SSH2_MSG_NEWKEYS received
    | debug1: KEX done
    | debug1: userauth-request for user knauel service ssh-connection method none
    | debug1: attempt 0 failures 0
    | debug2: monitor_read: 6 used once, disabling now
    | debug2: input_userauth_request: setting up authctxt for knauel
    | debug2: input_userauth_request: try method none
    | debug2: monitor_read: 3 used once, disabling now
    | Failed none for knauel from 134.2.12.76 port 49992 ssh2
    | Failed none for knauel from 134.2.12.76 port 49992 ssh2
    | debug1: userauth-request for user knauel service ssh-connection method gssapi-with-mic
    | debug1: attempt 1 failures 1
    | debug2: input_userauth_request: try method gssapi-with-mic
    | Postponed gssapi-with-mic for knauel from 134.2.12.76 port 49992 ssh2
    | debug1: Got no client credentials
    | [ Ends here, hangs forever ]
    `----

    Here, it's claiming that sshd has received no credentials, which is
    what I don't understand.

    When I ssh from the OS X machine midgard (which uses MIT Kerberos +
    krbafs 1.2) to itself, delagating credentials seems to work fine:

    ,----
    | [...]
    | debug1: userauth-request for user knauel service ssh-connection method none
    | debug1: attempt 0 failures 0
    | debug2: monitor_read: 6 used once, disabling now
    | debug2: input_userauth_request: setting up authctxt for knauel
    | debug2: input_userauth_request: try method none
    | debug2: monitor_read: 3 used once, disabling now
    | Failed none for knauel from 134.2.12.82 port 52578 ssh2
    | Failed none for knauel from 134.2.12.82 port 52578 ssh2
    | debug1: userauth-request for user knauel service ssh-connection method gssapi-with-mic
    | debug1: attempt 1 failures 1
    | debug2: input_userauth_request: try method gssapi-with-mic
    | Postponed gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
    | debug1: Received some client credentials
    | Authorized to knauel, krb5 principal knauel@INFORMATIK.UNI-TUEBINGEN.DE (krb5_kuserok)
    | Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
    | debug1: monitor_child_preauth: knauel has been authenticated by privileged process
    | Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
    | debug2: mac_init: found hmac-md5
    | debug2: mac_init: found hmac-md5
    | debug2: User child is on pid 15835
    | debug1: permanently_set_uid: 5324/3010
    | debug2: set_newkeys: mode 0
    | debug2: set_newkeys: mode 1
    | debug1: Entering interactive session for SSH2.
    | [...]
    `----

    The other end:

    ,----
    | [knauel@midgard ~] klist -f
    | Kerberos 5 ticket cache: 'API:Initial default ccache'
    | Default Principal: knauel@INFORMATIK.UNI-TUEBINGEN.DE
    | Valid Starting Expires Service Principal
    | 04/29/04 15:47:46 04/30/04 01:47:46 krbtgt/INFORMATIK.UNI-TUEBINGEN.DE@INFORMATIK.UNI-TUEBINGEN.DE
    | renew until 05/06/04 15:47:46, FPRI
    | 04/29/04 15:47:56 04/30/04 01:47:46 afs@INFORMATIK.UNI-TUEBINGEN.DE
    | renew until 05/06/04 15:47:46, FPRT
    | 04/29/04 15:48:05 04/30/04 01:47:46 host/duff.informatik.uni-tuebingen.de@INFORMATIK.UNI-TUEBINGEN.DE
    | renew until 05/06/04 15:47:46, FPRT
    |
    | [knauel@midgard ~] ssh -v midgard
    | OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003
    | debug1: Reading configuration data /etc/openssh/ssh_config
    | debug1: Connecting to midgard [134.2.12.82] port 22.
    | debug1: Connection established.
    | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity type 0
    | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa type -1
    | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa type 2
    | debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
    | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
    | debug1: Enabling compatibility mode for protocol 2.0
    | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
    | debug1: SSH2_MSG_KEXINIT sent
    | debug1: SSH2_MSG_KEXINIT received
    | debug1: kex: server->client aes128-cbc hmac-md5 none
    | debug1: kex: client->server aes128-cbc hmac-md5 none
    | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    | debug1: Host 'midgard' is known and matches the RSA host key.
    | debug1: Found key in /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191
    | debug1: ssh_rsa_verify: signature correct
    | debug1: SSH2_MSG_NEWKEYS sent
    | debug1: expecting SSH2_MSG_NEWKEYS
    | debug1: SSH2_MSG_NEWKEYS received
    | debug1: SSH2_MSG_SERVICE_REQUEST sent
    | debug1: SSH2_MSG_SERVICE_ACCEPT received
    | debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
    | debug1: Next authentication method: gssapi-with-mic
    | debug1: Delegating credentials
    | debug1: Delegating credentials
    | debug1: Authentication succeeded (gssapi-with-mic).
    | debug1: channel 0: new [client-session]
    | debug1: Entering interactive session.
    `----

    Any ideas why this is not working?

    -Eric

    -- 
    "Excuse me --- Di Du Du Duuuuh Di Dii --- Huh Weeeheeee" (Albert King)
    
    



  • Next message: Greene, Chris: "authentication failure log message"

    Relevant Pages