[32863] in Kerberos
Re: Fwd: help
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Nov 8 09:51:20 2010
Message-ID: <4CD80E5E.6010205@anl.gov>
Date: Mon, 08 Nov 2010 08:51:10 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <AANLkTikTDfj1L46QaMKg5gY_xbCjDV-54=NfrhQcvdP6@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/7/2010 10:55 AM, evangeline eleanor wrote:
> Hi, I've got a problem connecting via ssh with kerberos to my server.
> Here are some logs to clarify things:
>
> A log from the client ssh part:
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
> debug3: start over, passed a different list
> gssapi-keyex,gssapi-with-mic,password
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 93.103.50.247.
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,keyboard-interactive,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
>
>
>
> A log from the server ssh part:
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user test service ssh-connection method none
> debug1: attempt 0 failures 0
> Failed none for test from 193.95.233.106 port 50608 ssh2
> debug1: userauth-request for user test service ssh-connection method
> gssapi-with-mic
> debug1: attempt 1 failures 0
> Postponed gssapi-with-mic for test from 193.95.233.106 port 50608 ssh2
> debug1: Unspecified GSS failure. Minor code may provide more information
> Wrong principal in request
>
> debug1: Got no client credentials
> debug1: userauth-request for user test service ssh-connection method
> gssapi-with-mic
> debug1: attempt 2 failures 1
> debug1: userauth-request for user test service ssh-connection method
> gssapi-with-mic
> debug1: attempt 3 failures 1
>
>
> A kerberos log while trying to ssh onto the server (from client):
> Nov 07 11:49:10 pentest-security.dyndns.org krb5kdc[9034](info):
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 193.95.233.106: ISSUE: authtime
> 1289126950, etypes {rep=16 tkt=16 ses=16},
> test@PENTEST-SECURITY.DYNDNS.ORG for
> krbtgt/PENTEST-SECURITY.DYNDNS.ORG@PENTEST-SECURITY.DYNDNS.ORG
> Nov 07 11:49:20 pentest-security.dyndns.org krb5kdc[9034](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 193.95.233.106: ISSUE: authtime
> 1289126950, etypes {rep=16 tkt=16 ses=16},
> test@PENTEST-SECURITY.DYNDNS.ORG for
> host/93-103-50-247.dynamic.dsl.t-2.net@PENTEST-SECURITY.DYNDNS.ORG
> Nov 07 11:49:20 pentest-security.dyndns.org krb5kdc[9034](info):
> TGS_REQ (1 etypes {16}) 193.95.233.106: ISSUE: authtime 1289126950,
> etypes {rep=16 tkt=16 ses=16}, test@PENTEST-SECURITY.DYNDNS.ORG for
> krbtgt/PENTEST-SECURITY.DYNDNS.ORG@PENTEST-SECURITY.DYNDNS.ORG
>
>
> So, does anybody have any idea what to do in order to make the ssh
> with kerberos work? This is my dns settings in krb5.conf:
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
>
> I don't know what's wrong, but people on the kerberos irc channel said
> it could be the reverse dns though. A few of dns stuff is printed
> here:
> # hostname
> pentest-security.dyndns.org
> # host 36.145.110.193
> Host 193.110.145.36.in-addr.arpa. not found: 3(NXDOMAIN)
Looks like the client gets a service ticket for
host/93-103-50-247.dynamic.dsl.t-2.net@PENTEST-SECURITY.DYNDNS.ORG
But the server thinks its host name is:pentest-security.dyndns.org
and is expecting client to be sending a ticket for
host/pentest-security.dyndns.org@PENTEST-SECURITY.DYNDNS.ORG
You did not list the keys in the servers krb5.keytab
but based on the listprincs I assume both of these
principals are in the krb5.keytab.
But the gss code may be only looking for one. There have been
mods proposed to allow the gssapi to use any matching ticket
in the keytab file. You may need one of these mods.
What version of Kerberos you are using on the server?
How did the client map the ssh hostname argument to
93-103-50-247.dynamic.dsl.t-2.net?
If its not DNS, Does your ~/.ssh/config or client
/etc/ssh/ssh_config do any host mappings?
Does the client /etc/hosts have a mapping?
Kerberos and SSH really don't like the server having
a dynamic address...
>
> And this is what I have in kerberos database, the "listprincs" command:
> eleanor@PENTEST-SECURITY.DYNDNS.ORG
> K/M@PENTEST-SECURITY.DYNDNS.ORG
> krbtgt/PENTEST-SECURITY.DYNDNS.ORG@PENTEST-SECURITY.DYNDNS.ORG
> kadmin/admin@PENTEST-SECURITY.DYNDNS.ORG
> kadmin/changepw@PENTEST-SECURITY.DYNDNS.ORG
> kadmin/history@PENTEST-SECURITY.DYNDNS.ORG
> kadmin/pentest-security.dyndns.org@PENTEST-SECURITY.DYNDNS.ORG
> host/93-103-50-247.dynamic.dsl.t-2.net@PENTEST-SECURITY.DYNDNS.ORG
> admin/admin@PENTEST-SECURITY.DYNDNS.ORG
> host/pentest-security.dyndns.org@PENTEST-SECURITY.DYNDNS.ORG
> test@PENTEST-SECURITY.DYNDNS.ORG
> host@PENTEST-SECURITY.DYNDNS.ORG
>
>
> Any ideas anyone?
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
