Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)
stevendavidruiz_at_gmail.com
Date: 10/14/05
- Next message: Kevin J Kalupson: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Previous message: Richard E. Silverman: "Re: X11 forwarding over non X11 hop"
- Next in thread: Kevin J Kalupson: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Reply: Kevin J Kalupson: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Reply: Sensei: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Oct 2005 12:05:01 -0700
Hi All -
this is really bugging me - I can't get this to work. I have
everything working - ssh, pam, ldap, etc., but ssh always asks me for a
password, even when I have a valid kerberos ticket (I can login fine if
I entry my kerberos password). I've searched and searched for the
answer, but haven't found anything that helps me :(. We have this
working at another site with openssh 3.6p1, but 4.2p1 doesn't like me.
Has anybody accomplished this with a newer version of openssh (one that
no longer supports the "KerberosTgtForward yes" option)?
This is the most glaring error I see when I debug the ssh connections:
[ID 800047 auth.debug] debug1: Miscellaneous failure\nNo principal in
keytab matches desired name
My config is as follows:
Solaris OpenLDAP server
Windows 2003 Domain controller (kerberos KDC)
Solairs 9 clients
openssh 4.2p1
[root@uxprdadm01 root]# klist
================================
Ticket cache: /tmp/krb5cc_0
Default principal: stever@WIN.DOMAIN
Valid starting Expires
Service principal
Fri Oct 14 13:47:01 2005 Fri Oct 14 23:47:01 2005
krbtgt/WIN.DOMAIN@WIN.DOMAIN
renew until Fri Oct 21 13:47:01 2005
Fri Oct 14 13:47:17 2005 Fri Oct 14 23:47:01 2005
host/uxprdde01.F.Q.D.N.com@WIN.DOMAIN
renew until Fri Oct 21 13:47:01 2005
================================
krb5.keytab:
================================
bash-2.05# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/uxprdde01.F.Q.D.N.com@WIN.DOMAIN
bash-2.05#
================================
ssh was configured with:
================================
./configure --prefix=/usr/local --with-pam
--with-kerberos5=/usr/local/lib
================================
sshd_config: (I've tried so many combinations of the kerberos, gssapi,
usepam, and other auth options, this is just my last iteration)
================================
cat sshd_config
# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Port 2222
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Logging
SyslogFacility AUTH
LogLevel DEBUG
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
ChallengeResponseAuthentication=yes
UsePAM yes
UsePrivilegeSeparation no
================================
Kerberos config:
================================
bash-2.05# cd /etc/krb5
bash-2.05# more krb5.conf
[libdefaults]
default_realm = WIN.DOMAIN
forwardable = true
[realms]
WIN.DOMAIN = {
kdc = win2k3_dc.F.Q.D.N.com
admin_server = win2k3_dc.F.Q.D.N.com
}
[domain_realm]
.F.Q.D.N.com = WIN.DOMAIN
F.Q.D.N.com = WIN.DOMAIN
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
================================
Log from sshd:
================================
Oct 14 14:46:42 uxprdde01 sshd[1921]: [ID 800047 auth.info] Connection
closed by 10.2.80.25
Oct 14 14:46:42 uxprdde01 sshd[1921]: [ID 800047 auth.debug] debug1:
do_cleanup
Oct 14 14:46:48 uxprdde01 sshd[1853]: [ID 800047 auth.debug] debug1: fd
5 clearing O_NONBLOCK
Oct 14 14:46:48 uxprdde01 sshd[1853]: [ID 800047 auth.debug] debug1:
Forked child 1923.
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
rexec start in 5 out 5 newsock 5 pipe 7 sock 10
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
inetd sockets after dupping: 3, 3
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Connection
from 10.2.80.25 port 42222
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
Client protocol version 2.0; client software version OpenSSH_4.2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
match: OpenSSH_4.2 pat OpenSSH*
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
Enabling compatibility mode for protocol 2.0
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
Local version string SSH-2.0-OpenSSH_4.2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
Miscellaneous failure\nNo principal in keytab matches desired name
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEXINIT sent
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEXINIT received
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
kex: client->server aes128-cbc hmac-md5 none
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
kex: server->client aes128-cbc hmac-md5 none
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
expecting SSH2_MSG_KEX_DH_GEX_INIT
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_NEWKEYS sent
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
expecting SSH2_MSG_NEWKEYS
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
SSH2_MSG_NEWKEYS received
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
KEX done
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
userauth-request for user stever service ssh-connection method none
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
attempt 0 failures 0
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed none
for stever from 10.2.80.25 port 42222 ssh2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
userauth-request for user stever service ssh-connection method
gssapi-with-mic
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
attempt 1 failures 1
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
Miscellaneous failure\nNo principal in keytab matches desired name
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
gssapi-with-mic for stever from 10.2.80.25 port 42222 ssh2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
userauth-request for user stever service ssh-connection method
gssapi-with-mic
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
attempt 2 failures 1
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
gssapi-with-mic for stever from 10.2.80.25 port 42222 ssh2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
userauth-request for user stever service ssh-connection method
publickey
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
attempt 3 failures 1
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
test whether pkalg/pkblob are acceptable
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
temporarily_use_uid: 1055/1055 (e=0/1)
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
trying public key file /etc/ssh/.keys/stever/authorized_keys
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
restore_uid: 0/1
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
temporarily_use_uid: 1055/1055 (e=0/1)
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
trying public key file /etc/ssh/.keys/stever/authorized_keys
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
restore_uid: 0/1
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
publickey for stever from 10.2.80.25 port 42222 ssh2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
userauth-request for user stever service ssh-connection method
keyboard-interactive
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
attempt 4 failures 2
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
keyboard-interactive devs
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
auth2_challenge: user=stever devs=
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
kbdint_alloc: devices ''
Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
keyboard-interactive for stever from 10.2.80.25 port 42222 ssh2
Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
userauth-request for user stever service ssh-connection method password
Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
attempt 5 failures 3
Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.error] error:
Could not get shadow information for stever
Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
password for stever from 10.2.80.25 port 42222 ssh2
Oct 14 14:46:53 uxprdde01 sshd[1923]: [ID 800047 auth.info] Connection
closed by 10.2.80.25
Oct 14 14:46:53 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
do_cleanup
================================
Log from ssh -v -v -v :
================================
[root@uxprdadm01 root]# ../bin/ssh -v -v -v -p 2222 stever@uxprdde01
SSH Version Sun_SSH_1.0.1, protocol versions 1.5/2.0.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: ssh_connect: getuid 0 geteuid 0 anon 0
debug1: Connecting to uxprdde01 [10.2.80.21] port 2222.
debug1: Allocated local port 851.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type 3
debug1: identity file /root/.ssh/id_rsa type 3
debug1: Bad RSA1 key file /root/.ssh/id_dsa.
debug1: identity file /root/.ssh/id_dsa type 3
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.0.1
debug1: sent kexinit: diffie-hellman-group1-sha1
debug1: sent kexinit: ssh-rsa,ssh-dss
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: none
debug1: sent kexinit: none
debug1: sent kexinit:
debug1: sent kexinit:
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-rsa,ssh-dss
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug1: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug1: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib@openssh.com
debug1: got kexinit: none,zlib@openssh.com
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-sha1
debug1: kex: server->client unable to decide common locale
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: client->server unable to decide common locale
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: Sending SSH2_MSG_KEXDH_INIT.
debug1: bits set: 508/1024
debug1: Wait SSH2_MSG_KEXDH_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host 'uxprdde01' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:23
debug1: bits set: 534/1024
debug1: ssh_rsa_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: key does not exist: /root/.ssh/identity
debug1: key does not exist: /root/.ssh/id_rsa
debug1: try pubkey: /root/.ssh/id_dsa
debug1: read SSH2 private key done: name dsa w/o comment success 1
debug3: sign_and_send_pubkey
debug1: sig size 20 20
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: authmethod_lookup gssapi-keyex
debug2: Unrecognized authentication method name: gssapi-keyex
debug3: authmethod_lookup gssapi-with-mic
debug2: Unrecognized authentication method name: gssapi-with-mic
debug3: authmethod_lookup password
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
stever@uxprdde01's password:
================================
I hope that's enough config files and logs ;). Any help is much
appreciated.
- Next message: Kevin J Kalupson: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Previous message: Richard E. Silverman: "Re: X11 forwarding over non X11 hop"
- Next in thread: Kevin J Kalupson: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Reply: Kevin J Kalupson: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Reply: Sensei: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
