Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)
From: Kevin J Kalupson (kjk137_at_kevinkal.com)
Date: 10/14/05
- Next message: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Previous message: stevendavidruiz_at_gmail.com: "Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- In reply to: stevendavidruiz_at_gmail.com: "Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Next in thread: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Reply: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Oct 2005 15:36:15 -0400
You need to have whomever admins your kdc create a keytab file for you.
It usually goes in /etc/krb5.keytab.
stevendavidruiz@gmail.com wrote:
> Hi All -
>
> this is really bugging me - I can't get this to work. I have
> everything working - ssh, pam, ldap, etc., but ssh always asks me for a
> password, even when I have a valid kerberos ticket (I can login fine if
> I entry my kerberos password). I've searched and searched for the
> answer, but haven't found anything that helps me :(. We have this
> working at another site with openssh 3.6p1, but 4.2p1 doesn't like me.
> Has anybody accomplished this with a newer version of openssh (one that
> no longer supports the "KerberosTgtForward yes" option)?
>
> This is the most glaring error I see when I debug the ssh connections:
> [ID 800047 auth.debug] debug1: Miscellaneous failure\nNo principal in
> keytab matches desired name
>
> My config is as follows:
> Solaris OpenLDAP server
> Windows 2003 Domain controller (kerberos KDC)
> Solairs 9 clients
> openssh 4.2p1
>
> [root@uxprdadm01 root]# klist
> ================================
> Ticket cache: /tmp/krb5cc_0
> Default principal: stever@WIN.DOMAIN
>
> Valid starting Expires
> Service principal
> Fri Oct 14 13:47:01 2005 Fri Oct 14 23:47:01 2005
> krbtgt/WIN.DOMAIN@WIN.DOMAIN
> renew until Fri Oct 21 13:47:01 2005
> Fri Oct 14 13:47:17 2005 Fri Oct 14 23:47:01 2005
> host/uxprdde01.F.Q.D.N.com@WIN.DOMAIN
> renew until Fri Oct 21 13:47:01 2005
> ================================
>
>
> krb5.keytab:
> ================================
> bash-2.05# klist -k krb5.keytab
> Keytab name: FILE:krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 host/uxprdde01.F.Q.D.N.com@WIN.DOMAIN
> bash-2.05#
> ================================
>
>
> ssh was configured with:
> ================================
> ./configure --prefix=/usr/local --with-pam
> --with-kerberos5=/usr/local/lib
> ================================
>
>
> sshd_config: (I've tried so many combinations of the kerberos, gssapi,
> usepam, and other auth options, this is just my last iteration)
> ================================
> cat sshd_config
> # This sshd was compiled with
> PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
> Port 2222
> Protocol 2
>
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
>
> # Logging
> SyslogFacility AUTH
> LogLevel DEBUG
>
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> ChallengeResponseAuthentication=yes
> UsePAM yes
>
> UsePrivilegeSeparation no
> ================================
>
>
> Kerberos config:
> ================================
> bash-2.05# cd /etc/krb5
> bash-2.05# more krb5.conf
> [libdefaults]
> default_realm = WIN.DOMAIN
> forwardable = true
> [realms]
> WIN.DOMAIN = {
> kdc = win2k3_dc.F.Q.D.N.com
> admin_server = win2k3_dc.F.Q.D.N.com
> }
>
> [domain_realm]
> .F.Q.D.N.com = WIN.DOMAIN
> F.Q.D.N.com = WIN.DOMAIN
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> kdc_rotate = {
> period = 1d
> versions = 10
> }
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
> gkadmin = {
> help_url =
> http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
> }
> ================================
>
>
>
> Log from sshd:
> ================================
> Oct 14 14:46:42 uxprdde01 sshd[1921]: [ID 800047 auth.info] Connection
> closed by 10.2.80.25
> Oct 14 14:46:42 uxprdde01 sshd[1921]: [ID 800047 auth.debug] debug1:
> do_cleanup
> Oct 14 14:46:48 uxprdde01 sshd[1853]: [ID 800047 auth.debug] debug1: fd
> 5 clearing O_NONBLOCK
> Oct 14 14:46:48 uxprdde01 sshd[1853]: [ID 800047 auth.debug] debug1:
> Forked child 1923.
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> rexec start in 5 out 5 newsock 5 pipe 7 sock 10
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> inetd sockets after dupping: 3, 3
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Connection
> from 10.2.80.25 port 42222
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> Client protocol version 2.0; client software version OpenSSH_4.2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> match: OpenSSH_4.2 pat OpenSSH*
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> Enabling compatibility mode for protocol 2.0
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> Local version string SSH-2.0-OpenSSH_4.2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> list_hostkey_types: ssh-rsa,ssh-dss
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> Miscellaneous failure\nNo principal in keytab matches desired name
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_KEXINIT sent
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_KEXINIT received
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> kex: client->server aes128-cbc hmac-md5 none
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> kex: server->client aes128-cbc hmac-md5 none
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST received
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_KEX_DH_GEX_GROUP sent
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> expecting SSH2_MSG_KEX_DH_GEX_INIT
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_KEX_DH_GEX_REPLY sent
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_NEWKEYS sent
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> expecting SSH2_MSG_NEWKEYS
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> SSH2_MSG_NEWKEYS received
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> KEX done
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> userauth-request for user stever service ssh-connection method none
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> attempt 0 failures 0
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed none
> for stever from 10.2.80.25 port 42222 ssh2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> userauth-request for user stever service ssh-connection method
> gssapi-with-mic
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> attempt 1 failures 1
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> Miscellaneous failure\nNo principal in keytab matches desired name
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
> gssapi-with-mic for stever from 10.2.80.25 port 42222 ssh2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> userauth-request for user stever service ssh-connection method
> gssapi-with-mic
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> attempt 2 failures 1
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
> gssapi-with-mic for stever from 10.2.80.25 port 42222 ssh2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> userauth-request for user stever service ssh-connection method
> publickey
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> attempt 3 failures 1
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> test whether pkalg/pkblob are acceptable
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> temporarily_use_uid: 1055/1055 (e=0/1)
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> trying public key file /etc/ssh/.keys/stever/authorized_keys
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> restore_uid: 0/1
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> temporarily_use_uid: 1055/1055 (e=0/1)
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> trying public key file /etc/ssh/.keys/stever/authorized_keys
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> restore_uid: 0/1
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
> publickey for stever from 10.2.80.25 port 42222 ssh2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> userauth-request for user stever service ssh-connection method
> keyboard-interactive
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> attempt 4 failures 2
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> keyboard-interactive devs
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> auth2_challenge: user=stever devs=
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> kbdint_alloc: devices ''
> Oct 14 14:46:48 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
> keyboard-interactive for stever from 10.2.80.25 port 42222 ssh2
> Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> userauth-request for user stever service ssh-connection method password
> Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> attempt 5 failures 3
> Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.error] error:
> Could not get shadow information for stever
> Oct 14 14:46:52 uxprdde01 sshd[1923]: [ID 800047 auth.info] Failed
> password for stever from 10.2.80.25 port 42222 ssh2
> Oct 14 14:46:53 uxprdde01 sshd[1923]: [ID 800047 auth.info] Connection
> closed by 10.2.80.25
> Oct 14 14:46:53 uxprdde01 sshd[1923]: [ID 800047 auth.debug] debug1:
> do_cleanup
> ================================
>
>
>
>
>
> Log from ssh -v -v -v :
> ================================
> [root@uxprdadm01 root]# ../bin/ssh -v -v -v -p 2222 stever@uxprdde01
> SSH Version Sun_SSH_1.0.1, protocol versions 1.5/2.0.
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: ssh_connect: getuid 0 geteuid 0 anon 0
> debug1: Connecting to uxprdde01 [10.2.80.21] port 2222.
> debug1: Allocated local port 851.
> debug1: Connection established.
> debug1: identity file /root/.ssh/identity type 3
> debug1: identity file /root/.ssh/id_rsa type 3
> debug1: Bad RSA1 key file /root/.ssh/id_dsa.
> debug1: identity file /root/.ssh/id_dsa type 3
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_4.2
> debug1: match: OpenSSH_4.2 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-Sun_SSH_1.0.1
> debug1: sent kexinit: diffie-hellman-group1-sha1
> debug1: sent kexinit: ssh-rsa,ssh-dss
> debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
> debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
> debug1: sent kexinit: hmac-sha1,hmac-md5
> debug1: sent kexinit: hmac-sha1,hmac-md5
> debug1: sent kexinit: none
> debug1: sent kexinit: none
> debug1: sent kexinit:
> debug1: sent kexinit:
> debug1: send KEXINIT
> debug1: done
> debug1: wait KEXINIT
> debug1: got kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug1: got kexinit: ssh-rsa,ssh-dss
> debug1: got kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug1: got kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug1: got kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug1: got kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug1: got kexinit: none,zlib@openssh.com
> debug1: got kexinit: none,zlib@openssh.com
> debug1: got kexinit:
> debug1: got kexinit:
> debug1: first kex follow: 0
> debug1: reserved: 0
> debug1: done
> debug2: mac_init: found hmac-sha1
> debug1: kex: server->client unable to decide common locale
> debug1: kex: server->client aes128-cbc hmac-sha1 none
> debug2: mac_init: found hmac-sha1
> debug1: kex: client->server unable to decide common locale
> debug1: kex: client->server aes128-cbc hmac-sha1 none
> debug1: Sending SSH2_MSG_KEXDH_INIT.
> debug1: bits set: 508/1024
> debug1: Wait SSH2_MSG_KEXDH_REPLY.
> debug1: Got SSH2_MSG_KEXDH_REPLY.
> debug1: Host 'uxprdde01' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:23
> debug1: bits set: 534/1024
> debug1: ssh_rsa_verify: signature correct
> debug1: Wait SSH2_MSG_NEWKEYS.
> debug1: GOT SSH2_MSG_NEWKEYS.
> debug1: send SSH2_MSG_NEWKEYS.
> debug1: done: send SSH2_MSG_NEWKEYS.
> debug1: done: KEX2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
> debug3: start over, passed a different list
> debug3: authmethod_lookup publickey
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: key does not exist: /root/.ssh/identity
> debug1: key does not exist: /root/.ssh/id_rsa
> debug1: try pubkey: /root/.ssh/id_dsa
> debug1: read SSH2 private key done: name dsa w/o comment success 1
> debug3: sign_and_send_pubkey
> debug1: sig size 20 20
> debug2: we sent a publickey packet, wait for reply
> debug1: authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
> debug3: authmethod_lookup publickey
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: authmethod_lookup gssapi-keyex
> debug2: Unrecognized authentication method name: gssapi-keyex
> debug3: authmethod_lookup gssapi-with-mic
> debug2: Unrecognized authentication method name: gssapi-with-mic
> debug3: authmethod_lookup password
> debug3: authmethod_is_enabled password
> debug1: next auth method to try is password
> stever@uxprdde01's password:
> ================================
>
>
> I hope that's enough config files and logs ;). Any help is much
> appreciated.
>
- Next message: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Previous message: stevendavidruiz_at_gmail.com: "Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- In reply to: stevendavidruiz_at_gmail.com: "Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Next in thread: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Reply: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
