[37523] in Kerberos
Re: ubuntu16.04 and /etc/krb5.conf
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Jun 16 13:08:25 2016
MIME-Version: 1.0
In-Reply-To: <5762A4F6.8010906@imperial.ac.uk>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 16 Jun 2016 07:42:09 -0600
Message-ID: <CALNT6MUyXiOiHTYdu9qwAVNUrqr5KXJRgk2oj3bYfK9JqeCZvg@mail.gmail.com>
To: Giuseppe Mazza <g.mazza@imperial.ac.uk>
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
From what I'm seeing; this is more likely tied to the configuration
requirements for setting up a host to support authentication for ssh via
kerberos. Showing your krb5.conf would help (I suggest replacing internal
hostnames and realms when sharing this kind of info).
Most likely the settings for resolving the KDC through DNS are set
( dns_lookup_realm = true, dns_lookup_kdc = true ) for the reason why you
do not need a realm entry in your krb5.conf.
This discussion explains what needs to be in place for you to be able to
setup client authentication for SSH on ubuntu..
https://help.ubuntu.com/community/SingleSignOn#Client_Configuration
Most specifically; Did you create the host principal in the KDC for the new
host you are trying to access?
On Thu, Jun 16, 2016 at 7:09 AM, Giuseppe Mazza <g.mazza@imperial.ac.uk>
wrote:
> (I apologize for my long email)
>
> I am going to try to provide some feedback:
> #
> # my (not) working scenario...
> #
> 1] Linux kerberos server:
> Ubuntu 14.04.4 LTS \n \l
> ii krb5-kdc 1.12+dfsg-2ub amd64 MIT Kerberos key
> server (KDC)
>
> 2.a] Ubuntu 16.04 linux client, called futurama.doc.ic.ac.uk:
> ii krb5-user 1.13.2+dfsg-5 amd64 Basic programs to
> authenticate using MIT K
>
>
> 2.b] Ubuntu 14.04 linux client, called bee.doc.ic.ac.uk:
> ii krb5-user 1.12+dfsg-2ub amd64 Basic programs to
> authenticate using MIT
>
> 3] same /etc/krb5.conf on both clients, i.e. no hardcoded hostnames of
> my dc's.
>
> 4] I will be using my two accounts, gmazza@IC.AC.UK (user in the Windows
> DC) and gmazza2@DOC.IC.AC.UK (user in kerberos realm).
>
> The things I will describe work for bee.doc.ic.ac.uk, but not
> for futurama.doc.ic.ac.uk. In particular I have noticed the things below:
>
> - it works:
> gmazza2@futurama:~$ ssh gmazza2@futurama
>
> - it does not work:
> gmazza2@futurama:~$ ssh gmazza@futurama
> gmazza@futurama's password:
> Permission denied, please try again.
> gmazza@futurama's password:
>
> - it works:
> gmazza2@futurama:~$ export KRB5_TRACE=/dev/stdout
> gmazza2@futurama:~$ kinit gmazza@IC.AC.UK
> [325] 1466081998.890390: Getting initial credentials for gmazza@IC.AC.UK
> [325] 1466081998.890912: Sending request (169 bytes) to IC.AC.UK
> [325] 1466081998.894103: Resolving hostname icads43.ic.ac.uk.
> [325] 1466081998.896228: Sending initial UDP request to dgram
> 129.31.100.150:88
> [325] 1466081998.899013: Received answer (174 bytes) from dgram
> 129.31.100.150:88
> [325] 1466081998.900138: Response was not from master KDC
> [325] 1466081998.900216: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [325] 1466081998.900281: Processing preauth types: 16, 15, 19, 2
> [325] 1466081998.900308: Selected etype info: etype aes256-cts, salt
> "IC.AC.UKgmazza", params ""
> Password for gmazza@IC.AC.UK: debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
>
> [325] 1466082004.103603: AS key obtained for encrypted timestamp:
> aes256-cts/1F56
> [325] 1466082004.103637: Encrypted timestamp (for 1466082003.328534):
> plain 301AA011180F32303136303631363133303030335AA1050203050356,
> encrypted
>
> C915E62DB9E0CE17F45BA2FDABB44DEF69EF02DAE0ADF1138204A1D114B27FF0AE505BB410C1FCB00E0F31BFE6939ED3E7B2C68B9C52FDA4
> [325] 1466082004.103654: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [325] 1466082004.103657: Produced preauth for next request: 2
> [325] 1466082004.103668: Sending request (247 bytes) to IC.AC.UK
> [325] 1466082004.106120: Resolving hostname icads39.ic.ac.uk.
> [325] 1466082004.106383: Sending initial UDP request to dgram
> 155.198.63.21:88
> [325] 1466082004.110203: Received answer (88 bytes) from dgram
> 155.198.63.21:88
> [325] 1466082004.111234: Response was not from master KDC
> [325] 1466082004.111262: Received error from KDC: -1765328332/Response
> too big for UDP, retry with TCP
> [325] 1466082004.111268: Request or response is too big for UDP;
> retrying with TCP
> [325] 1466082004.111281: Sending request (247 bytes) to IC.AC.UK (tcp
> only)
> [325] 1466082004.112344: Resolving hostname icads44.ic.ac.uk.
> [325] 1466082004.113626: Initiating TCP connection to stream
> 129.31.47.2:88
> [325] 1466082004.114123: Sending TCP request to stream 129.31.47.2:88
> [325] 1466082004.117400: Received answer (2689 bytes) from stream
> 129.31.47.2:88
> [325] 1466082004.117416: Terminating TCP connection to stream
> 129.31.47.2:88
> [325] 1466082004.118434: Response was not from master KDC
> [325] 1466082004.118467: Processing preauth types: 19
> [325] 1466082004.118475: Selected etype info: etype aes256-cts, salt
> "IC.AC.UKgmazza", params ""
> [325] 1466082004.118480: Produced preauth for next request: (empty)
> [325] 1466082004.118489: AS key determined by preauth: aes256-cts/1F56
> [325] 1466082004.118538: Decrypted AS reply; session key is:
> aes256-cts/5BA4
> [325] 1466082004.118555: FAST negotiation: unavailable
> [325] 1466082004.118578: Initializing FILE:/tmp/krb5cc_868_TQFkWp with
> default princ gmazza@IC.AC.UK
> [325] 1466082004.118635: Storing gmazza@IC.AC.UK ->
> krbtgt/IC.AC.UK@IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [325] 1466082004.118662: Storing config in FILE:/tmp/krb5cc_868_TQFkWp
> for krbtgt/IC.AC.UK@IC.AC.UK: pa_type: 2
> [325] 1466082004.118684: Storing gmazza@IC.AC.UK ->
> krb5_ccache_conf_data/pa_type/krbtgt\/IC.AC.UK\@IC.AC.UK@X-CACHECONF: in
> FILE:/tmp/krb5cc_868_TQFkWp
>
> gmazza2@futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gmazza@IC.AC.UK
>
> Valid starting Expires Service principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/IC.AC.UK@IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> - it does not work:
> gmazza2@futurama:~$ ssh gmazza2@futurama
> [375] 1466082089.872003: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK
> [375] 1466082089.872158: Getting credentials gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.872299: Retrieving gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: -1765328243/Matching credential not found
> [375] 1466082089.872397: Retrieving gmazza@IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: -1765328243/Matching credential not found
> [375] 1466082089.872489: Retrieving gmazza@IC.AC.UK ->
> krbtgt/IC.AC.UK@IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with result:
> 0/Success
> [375] 1466082089.872507: Starting with TGT for client realm:
> gmazza@IC.AC.UK -> krbtgt/IC.AC.UK@IC.AC.UK
> [375] 1466082089.872611: Retrieving gmazza@IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: -1765328243/Matching credential not found
> [375] 1466082089.872628: Requesting TGT krbtgt/DOC.IC.AC.UK@IC.AC.UK
> using TGT krbtgt/IC.AC.UK@IC.AC.UK
> [375] 1466082089.872694: Generated subkey for TGS request: aes256-cts/36BD
> [375] 1466082089.872848: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.873071: Encoding request body and padata into FAST request
> [375] 1466082089.873237: Sending request (2863 bytes) to IC.AC.UK
> [375] 1466082089.875549: Resolving hostname icads44.ic.ac.uk.
> [375] 1466082089.876375: Sending initial UDP request to dgram
> 129.31.47.2:88
> [375] 1466082089.878367: Received answer (311 bytes) from dgram
> 129.31.47.2:88
> [375] 1466082089.879374: Response was not from master KDC
> [375] 1466082089.879420: Decoding FAST response
> [375] 1466082089.879497: Request or response is too big for UDP;
> retrying with TCP
> [375] 1466082089.879512: Sending request (2863 bytes) to IC.AC.UK (tcp
> only)
> [375] 1466082089.880644: Resolving hostname icads43.ic.ac.uk.
> [375] 1466082089.881101: Initiating TCP connection to stream
> 129.31.100.150:88
> [375] 1466082089.881629: Sending TCP request to stream 129.31.100.150:88
> [375] 1466082089.883386: Received answer (2758 bytes) from stream
> 129.31.100.150:88
> [375] 1466082089.883408: Terminating TCP connection to stream
> 129.31.100.150:88
> [375] 1466082089.884435: Response was not from master KDC
> [375] 1466082089.884481: Decoding FAST response
> [375] 1466082089.884661: FAST reply key: aes256-cts/C91B
> [375] 1466082089.884730: TGS reply is for gmazza@IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK@IC.AC.UK with session key des-cbc-crc/A617
> [375] 1466082089.884819: TGS request result: 0/Success
> [375] 1466082089.884838: Storing gmazza@IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK@IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.884915: Received TGT for service realm:
> krbtgt/DOC.IC.AC.UK@IC.AC.UK
> [375] 1466082089.884927: Requesting tickets for
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK, referrals on
> [375] 1466082089.884955: Generated subkey for TGS request: des-cbc-crc/14B2
> [375] 1466082089.885000: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.885099: Encoding request body and padata into FAST request
> [375] 1466082089.885228: Sending request (2832 bytes) to DOC.IC.AC.UK
> (tcp only)
> [375] 1466082089.885263: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.885710: Initiating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.886276: Terminating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.886314: Resolving hostname kerberos1.doc.ic.ac.uk
> [375] 1466082089.886738: Initiating TCP connection to stream
> 146.169.1.11:88
> [375] 1466082089.887249: Terminating TCP connection to stream
> 146.169.1.11:88
> [375] 1466082089.887270: Resolving hostname kerberos2.doc.ic.ac.uk
> [375] 1466082089.887611: Initiating TCP connection to stream
> 146.169.1.71:88
> [375] 1466082089.888136: Terminating TCP connection to stream
> 146.169.1.71:88
> [375] 1466082089.889673: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK
> [375] 1466082089.889789: Getting credentials gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.889906: Retrieving gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: -1765328243/Matching credential not found
> [375] 1466082089.890009: Retrieving gmazza@IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: 0/Success
> [375] 1466082089.890024: Found cached TGT for service realm:
> gmazza@IC.AC.UK -> krbtgt/DOC.IC.AC.UK@IC.AC.UK
> [375] 1466082089.890033: Requesting tickets for
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK, referrals on
> [375] 1466082089.890062: Generated subkey for TGS request: des-cbc-crc/B04E
> [375] 1466082089.890113: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.890252: Encoding request body and padata into FAST request
> [375] 1466082089.890394: Sending request (2832 bytes) to DOC.IC.AC.UK
> [375] 1466082089.890446: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.890897: Initiating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.891502: Terminating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.891525: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.891874: Sending initial UDP request to dgram
> 146.169.1.157:750
> [375] 1466082089.893602: Received answer (861 bytes) from dgram
> 146.169.1.157:750
> [375] 1466082089.894766: Response was not from master KDC
> [375] 1466082089.894812: Decoding FAST response
> [375] 1466082089.894897: FAST reply key: des-cbc-crc/EE43
> [375] 1466082089.894953: TGS reply is for gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK with session key aes256-cts/4216
> [375] 1466082089.894987: TGS request result: 0/Success
> [375] 1466082089.894997: Received creds for desired service
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK
> [375] 1466082089.895012: Storing gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.895181: Creating authenticator for gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK, seqnum 683096606, subkey
> aes256-cts/1E3F, session key aes256-cts/4216
> [375] 1466082089.896680: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK
> [375] 1466082089.896837: Getting credentials gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.896953: Retrieving gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.897036: Creating authenticator for gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK, seqnum 249884086, subkey
> aes256-cts/FDB1, session key aes256-cts/4216
> [375] 1466082089.898397: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK
> [375] 1466082089.898517: Getting credentials gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.898630: Retrieving gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898760: Getting credentials gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.898865: Retrieving gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898946: Creating authenticator for gmazza@IC.AC.UK ->
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK, seqnum 1071734415, subkey
> aes256-cts/0F2B, session key aes256-cts/4216
> gmazza2@futurama's password:
>
>
> BUT...
> - there are gmazza's tickets now:
> gmazza2@futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gmazza@IC.AC.UK
>
> Valid starting Expires Service principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/IC.AC.UK@IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 16/06/16 14:01:29 17/06/16 00:00:04 krbtgt/DOC.IC.AC.UK@IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
> 16/06/16 14:01:29 17/06/16 00:00:04
> host/futurama.doc.ic.ac.uk@DOC.IC.AC.UK
> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
> - it works the second time with the same command "ssh gmazza@futurama"
> gmazza2@futurama:~$ export KRB5_TRACE=
> gmazza2@futurama:~$ ssh gmazza@futurama uptime
> 14:02:58 up 21:31, 2 users, load average: 0.01, 0.05, 0.07
>
>
> Sorry for my long email.
> Hope my description makes sense.
>
> Cheers,
> Giuseppe
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
