Problem: passwordless login with Kerberos doesn't work



Hi,

We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well.

I installed 2 testmachines, configured MIT Kerberos, LDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password.

Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :)

A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory:

host/server.staff.xxxxx.nl@xxxxxxxxxxxxxx
host/client.staff.xxxxx.nl@xxxxxxxxxxxxxx

and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides.

Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful.

This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse map) and the name and IP address of the AD server is in /etc/hosts.

This is the SSH debug log when I try to connect:

-----[ ssh client log ]-----
ssh -vvvK thisuser@xxxxxxxxxxxxxxxxxxxxx

OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server.staff.zeelandnet.nl [10.115.193.26] port 22.
debug1: Connection established.
debug1: identity file /home/thisuser/.ssh/identity type -1
debug1: identity file /home/thisuser/.ssh/id_rsa type -1
debug1: identity file /home/thisuser/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key.
debug1: Found key in /home/thisuser/.ssh/known_hosts:3
debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/thisuser/.ssh/identity ((nil))
debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/thisuser/.ssh/identity
debug3: no such identity: /home/thisuser/.ssh/identity
debug1: Trying private key: /home/thisuser/.ssh/id_rsa
debug3: no such identity: /home/thisuser/.ssh/id_rsa
debug1: Trying private key: /home/thisuser/.ssh/id_dsa
debug3: no such identity: /home/thisuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
----- -----

And here's the log (at DEBUG level) of the SSH server:

-----[ ssh server log ]-----
debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
debug1: Forked child 2475.
debug1: inetd sockets after dupping: 3, 3
Connection from 10.115.193.8 port 35195
debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug1: PAM: initializing for "thisuser"
debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for thisuser from 10.115.193.8 port 35195 ssh2
debug1: Unspecified GSS failure. Minor code may provide more information\nNo principal in keytab matches desired name\n
debug1: do_cleanup
debug1: PAM: cleanup
----- -----


This is my SSH config:

-----[ /etc/ssh/sshd_config ]-----
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
----- -----


I configured /etc/krb5.conf as follows:

-----[ /etc/krb5.conf ]-----
[logging]
default = FILE:/var/log/krb5-lib.log
kdc = FILE:/var/log/krb5-kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = STAFF.XXXXX.NL
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
STAFF.XXXXX.NL = {
kdc = zbdc01
admin_server = zbdc01
}

[domain_realm]
.staff.xxxxx.nl = STAFF.XXXXX.NL
staff.xxxxx.nl = STAFF.XXXXX.NL

[login]
krb4_convert = false
krb4_get_tickets = false

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
----- -----



Kind regards,

Hans van Zijst
.



Relevant Pages

  • Problem: passwordless SSH-login with Kerberos doesnt work
    ... I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug1: Offering GSSAPI proposal: ...
    (comp.protocols.kerberos)
  • Re: Trouble with OpenSSH 3.4p1 - Cant connect with an RSA key pair
    ... >> I have a computer functioning as a server using RedHat 8.0 with OpenSSH ... I am experiencing a similar problem using passkey authentication with the ... < debug2: bits set: 1604/3191 ... < debug1: Server accepts key: pkalg ssh-rsa blen 149 ...
    (comp.security.ssh)
  • Re: problem with HostbasedAuthentication
    ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug3: Wrote 792 bytes for a total of 831 ... I am now trying to setup a hostbased ssh from server to ...
    (SSH)
  • Problem with some user autentification error on sshd
    ... debug1: Reading configuration data /etc/ssh/ssh_config ... debug2: kex_parse_kexinit: none,zlib ... debug3: check_host_in_hostfile: match line 3 ... debug1: Next authentication method: keyboard-interactive ...
    (SSH)
  • Re: problem with HostbasedAuthentication
    ... from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html. ... debug2: ssh_connect: needpriv 0 ... debug1: ... debug3: Wrote 792 bytes for a total of 831 ...
    (SSH)