[32862] in Kerberos
Fwd: help
daemon@ATHENA.MIT.EDU (evangeline eleanor)
Sun Nov 7 14:29:53 2010
MIME-Version: 1.0
In-Reply-To: <AANLkTinvb2Wj9iDYXKrUxeftjdLz2+rOOGZXAcJWEUp7@mail.gmail.com>
Date: Sun, 7 Nov 2010 17:55:36 +0100
Message-ID: <AANLkTikTDfj1L46QaMKg5gY_xbCjDV-54=NfrhQcvdP6@mail.gmail.com>
From: evangeline eleanor <evangeline.eleanor@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi, I've got a problem connecting via ssh with kerberos to my server.
Here are some logs to clarify things:
A log from the client ssh part:
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 93.103.50.247.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
A log from the server ssh part:
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user test service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for test from 193.95.233.106 port 50608 ssh2
debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 0
Postponed gssapi-with-mic for test from 193.95.233.106 port 50608 ssh2
debug1: Unspecified GSS failure. Minor code may provide more information
Wrong principal in request
debug1: Got no client credentials
debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 1
debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic
debug1: attempt 3 failures 1
A kerberos log while trying to ssh onto the server (from client):
Nov 07 11:49:10 pentest-security.dyndns.org krb5kdc[9034](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 193.95.233.106: ISSUE: authtime
1289126950, etypes {rep=16 tkt=16 ses=16},
test@PENTEST-SECURITY.DYNDNS.ORG for
krbtgt/PENTEST-SECURITY.DYNDNS.ORG@PENTEST-SECURITY.DYNDNS.ORG
Nov 07 11:49:20 pentest-security.dyndns.org krb5kdc[9034](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 193.95.233.106: ISSUE: authtime
1289126950, etypes {rep=16 tkt=16 ses=16},
test@PENTEST-SECURITY.DYNDNS.ORG for
host/93-103-50-247.dynamic.dsl.t-2.net@PENTEST-SECURITY.DYNDNS.ORG
Nov 07 11:49:20 pentest-security.dyndns.org krb5kdc[9034](info):
TGS_REQ (1 etypes {16}) 193.95.233.106: ISSUE: authtime 1289126950,
etypes {rep=16 tkt=16 ses=16}, test@PENTEST-SECURITY.DYNDNS.ORG for
krbtgt/PENTEST-SECURITY.DYNDNS.ORG@PENTEST-SECURITY.DYNDNS.ORG
So, does anybody have any idea what to do in order to make the ssh
with kerberos work? This is my dns settings in krb5.conf:
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
I don't know what's wrong, but people on the kerberos irc channel said
it could be the reverse dns though. A few of dns stuff is printed
here:
# hostname
pentest-security.dyndns.org
# host 36.145.110.193
Host 193.110.145.36.in-addr.arpa. not found: 3(NXDOMAIN)
And this is what I have in kerberos database, the "listprincs" command:
eleanor@PENTEST-SECURITY.DYNDNS.ORG
K/M@PENTEST-SECURITY.DYNDNS.ORG
krbtgt/PENTEST-SECURITY.DYNDNS.ORG@PENTEST-SECURITY.DYNDNS.ORG
kadmin/admin@PENTEST-SECURITY.DYNDNS.ORG
kadmin/changepw@PENTEST-SECURITY.DYNDNS.ORG
kadmin/history@PENTEST-SECURITY.DYNDNS.ORG
kadmin/pentest-security.dyndns.org@PENTEST-SECURITY.DYNDNS.ORG
host/93-103-50-247.dynamic.dsl.t-2.net@PENTEST-SECURITY.DYNDNS.ORG
admin/admin@PENTEST-SECURITY.DYNDNS.ORG
host/pentest-security.dyndns.org@PENTEST-SECURITY.DYNDNS.ORG
test@PENTEST-SECURITY.DYNDNS.ORG
host@PENTEST-SECURITY.DYNDNS.ORG
Any ideas anyone?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
