Dear All,
I've really strange problem, at least for me ;)
1) In our enviroment we have Kerberos V 1.2.2 installed and OpenSSH
2.9p2.
2) Each Kerberos installation has patch applied to solve problem with
working through NAT, i.e. adding IP address of the NAT in any tickets.
3) OpenSSH 2.9p2 was patched to support Kerberos V.
The problem is :
I've managed to connect by using Kerberos to all mashine via SSH.
All these mashines are located NOT behind the NAT, i.e. in the protected
LAN. I have one mashine with Solaris 2.6 located out of NAT, i.e. in the
public Internet. I've managed to compile all these staff (Kerberos,
OpenSSL, OpenSSH) there. But I couldn't connect via SSH to that mashine.
Here are log extractions:
The the client side:
[root@slava keytabs]# /opt/bin/ssh -v [EMAIL PROTECTED]
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x00905100
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to ns1.zrh1.ch.colt.net [212.23.224.70] port 22.
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 132/256
debug1: bits set: 1016/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ns1.zrh1.ch.colt.net' is known and matches the RSA host
key.
debug1: Found key in /root/.ssh/known_hosts2:1
debug1: bits set: 1007/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is external-keyx
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is gssapi
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /root/.ssh/identity
debug1: try privkey: /root/.ssh/id_rsa
debug1: try privkey: /root/.ssh/id_dsa
debug1: next auth method to try is password
[EMAIL PROTECTED]'s password:
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
On the server's side:
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: Connection from 212.23.224.14
port 61415
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: Client protocol version
2.0; client software version OpenSSH_2.9p2
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: match: OpenSSH_2.9p2
pat ^OpenSSH
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: Enabling compatibility mode for
protocol 2.0
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: Local version string
SSH-1.99-OpenSSH_2.9p2
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: Rhosts Authentication
disabled, originating port not trusted.
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: list_hostkey_types:
ssh-rsa,ssh-dss
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: SSH2_MSG_KEXINIT sent
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: SSH2_MSG_KEXINIT
received
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: kex: client->server
aes128-cbc hmac-md5 none
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: kex: server->client
aes128-cbc hmac-md5 none
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: dh_gen_key: priv key
bits set: 108/256
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: bits set: 1007/2049
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: bits set: 1016/2049
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: kex_derive_keys
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: newkeys: mode 1
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: SSH2_MSG_NEWKEYS sent
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: waiting for
SSH2_MSG_NEWKEYS
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: newkeys: mode 0
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: SSH2_MSG_NEWKEYS
received
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: KEX done
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: userauth-request for
user slava service ssh-connection method none
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: attempt 0 failures 0
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: Failed none for slava from
212.23.224.14 port 61415 ssh2
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: userauth-request for
user slava service ssh-connection method external-keyx
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: attempt 1 failures 1
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: No suitable client data
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: Failed external-keyx for slava
from 212.23.224.14 port 61415 ssh2
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: userauth-request for
user slava service ssh-connection method gssapi
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: attempt 2 failures 2
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: Miscellaneous failure
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: debug1: Unknown code z 0
Oct 16 12:35:58 se1-cb104-7 sshd[12358]: Failed gssapi for slava from
212.23.224.14 port 61415 ssh2
Oct 16 12:36:08 se1-cb104-7 sshd[12358]: debug1: userauth-request for
user slava service ssh-connection method password
Oct 16 12:36:08 se1-cb104-7 sshd[12358]: debug1: attempt 3 failures 3
Oct 16 12:36:08 se1-cb104-7 sshd[12358]: Failed password for slava from
212.23.224.14 port 61415 ssh2
Oct 16 12:36:10 se1-cb104-7 sshd[12358]: Connection closed by
212.23.224.14
Oct 16 12:36:10 se1-cb104-7 sshd[12358]: debug1: Calling cleanup
0x64e58(0x0)
Oct 16 12:36:10 se1-cb104-7 sshd[12358]: debug1: Calling cleanup
0x6ae74(0x0)
Oct 16 12:36:10 se1-cb104-7 sshd[12358]: debug1: writing PRNG seed to
file //.ssh/prng_seed
Oct 16 13:35:22 se1-cb104-7 sshd[12315]: Generating new 768 bit RSA key.
Oct 16 13:35:23 se1-cb104-7 sshd[12315]: RSA key generation complete.
Here is /etc/krb.conf from client and server (the absolutely the
same):
[libdefaults]
default_realm = CH.COLT.NET
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = true
default_keytab_name = /etc/krb5.keytab
proxy_gateway = 212.23.224.14
[realms]
CH.COLT.NET = {
kdc = kerberos.noc.ch.colt.net:88
kdc = kerberos-1.noc.ch.colt.net:88
kdc = kerberos-2.noc.ch.colt.net:88
admin_server = kerberos.noc.ch.colt.net
default_domain = CH.COLT.NET
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
kdc = SYSLOG:INFO:LOG_LOCAL0
admin_server = SYSLOG:INFO:LOG_LOCAL0
default = SYSLOG:INFO:LOG_LOCAL0
[domain_realm]
On the KDC I've changed ticket's encryption to des3-hmac-sha1 for my
Solaris 2.6 mashine.. For the rest of principals I'm using des-cbc-crc
still..
I was thinking that might be problem was related to different
encryption's type for client and servers principals, - to check that
I've changed encryption in KDC for one of my servers in the internal LAN
and it's working for that server. I really can't understand what is the
problem..
Thank you very much for your help!!
my regards,
Sviatoslav Rimdenok
