[32917] in Kerberos
Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh
daemon@ATHENA.MIT.EDU (Thomas Schweikle)
Mon Nov 22 16:33:05 2010
From: Thomas Schweikle <tps@vr-web.de>
Date: Mon, 22 Nov 2010 19:10:10 +0100
Message-ID: <8kvq03F2l6U1@mid.individual.net>
Mime-Version: 1.0
In-Reply-To: <mailman.415.1290365184.20243.kerberos@mit.edu>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Am 21.11.2010 19:46, schrieb Brian Candler:
> On Sat, Nov 20, 2010 at 10:45:31PM +0100, Thomas Schweikle wrote:
>> Something about no GSSAPI environment. I'll post the whole thing
>> Tomorrow --- I'll need access to the systems.
>
> Another trick is to run another instance of sshd, on another port, in debug
> mode: e.g.
>
> # sshd -p 99 -d
>From ub0001 to kvm-test (10.04.1 to 10.04.1):
!debug1: Unspecified GSS failure.
! Minor code may provide more information
!Key table entry not found
and on the client side:
!debug1: Authentications that can continue:
! publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context
But:
!tu@kvm-test:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
! 1 host/kvm-test@LOCAL
! 1 host/kvm-test@LOCAL
! 1 host/kvm-test@LOCAL
! 1 host/kvm-test@LOCAL
and
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
! 2 host/ub0001@LOCAL
! 2 host/ub0001@LOCAL
! 2 host/ub0001@LOCAL
! 2 host/ub0001@LOCAL
ssh asks for password :-(
Now from auth to kvm-test (10.10 to 10.04.1):
!debug1: Unspecified GSS failure.
! Minor code may provide more information
!Key table entry not found
and on the client side:
!debug1: Authentications that can continue:
! publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context
But:
!root@kvm-test:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 1 host/kvm-test@LOCAL
! 1 host/kvm-test@LOCAL
! 1 host/kvm-test@LOCAL
! 1 host/kvm-test@LOCAL
and
!tu@auth:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 1 host/auth@LOCAL
! 1 host/auth@LOCAL
! 1 host/auth@LOCAL
! 1 host/auth@LOCAL
Now from ub0001 to auth (10.04.1 to 10.10):
No password prompt! logged in!
This with:
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 2 host/ub0001@LOCAL
! 2 host/ub0001@LOCAL
! 2 host/ub0001@LOCAL
! 2 host/ub0001@LOCAL
and:
!root@auth:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 1 host/auth@LOCAL
! 1 host/auth@LOCAL
! 1 host/auth@LOCAL
! 1 host/auth@LOCAL
Obvioulsy 10.10 to 10.10 works too.
> Then when you ssh -v -p 99 <user>@<hostname> you will also get debug output
> from the server side.
>
> You need 'GSSAPIAuthentication yes' in /etc/ssh/sshd_config at the server
> side, but presumably you have that as some of the combinations do work.
> (Not 'KerberosAuthentication yes' - that just does password authentication
> with the KDC as the password oracle)
AFAIC this is set. On all machines I have:
/etc/ssh/sshd_config:
!# GSSAPI options
!GSSAPIAuthentication yes
!GSSAPICleanupCredentials yes
!GSSAPIKeyExchange yes
/etc/ssh/ssh_config:
!Host *
! SendEnv LANG LC_*
! HashKnownHosts yes
! GSSAPIAuthentication yes
! GSSAPIDelegateCredentials yes
! GSSAPIKeyExchange yes
--
Thomas
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
