Srinivas Cheruku wrote: > from the log > debug1: Miscellaneous failure > debug1: Server not found in Kerberos database > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > > "Server not found in the Kerberos Database". > Did you create the service principal for the host and extracted that to the > keytable on that host. > > while connecting using ssh give the fqdn of the hostname > $ssh hostname.domain > > It should work. Still if it does'nt work then check the KDC log and see > which service principal it is trying to look at.
Ok so my problem is on the server somehow as it looks. For the principals the only principal that I created is the host principal (host/hostname.domain.com@REALM). Do I need anything else for principals then ? On the KDC (unfortunately a Win2k AD KDC) I don't see anything special except pre-authentication failed (next message in this newsgroup). I know it's crazy using microsoft as KDC but we have to do it like that ;( Thanks for all your help. > > > > -----Original Message----- > From: Someone [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 22, 2002 5:14 PM > To: [EMAIL PROTECTED] > Subject: Re: SSH with Kerberos 5 GSSAPI > > > Srinivas Cheruku wrote: > > >>Default configuration should work properly. Otherwise you can add the >> > below > >>lines in your sshd configuration file >> >>GssapiAuthentication yes >>GssapiKeyExchange yes >>GssapiUseSessionCredCache yes >> >>Also start the client session in the verbose mode and see what is >> > happening > >>by giving >>$ ssh -v hostname >> >>Also you can check on the KDC log whether it has issued a forwarded TGT. >> >> > > > > I have added those lines to sshd_config but it didn't help, here is the > output of the ssh client: > > > ssh -v hostname > OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: restore_uid > debug1: ssh_connect: getuid XXXX geteuid 0 anon 1 > debug1: Connecting to tonostix [X.X.X.X] port 22. > debug1: temporarily_use_uid: XXXX/XXXX (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: XXXX/XXXX (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /home/username/.ssh/identity type -1 > debug1: identity file /home/username/.ssh/id_rsa type -1 > debug1: identity file /home/username/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.0.2p1 > debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 > debug1: Miscellaneous failure > debug1: Server not found in Kerberos database > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: dh_gen_key: priv key bits set: 133/256 > debug1: bits set: 1558/3191 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'hostname' is known and matches the RSA host key. > debug1: Found key in /home/username/.ssh/known_hosts2:104 > debug1: bits set: 1569/3191 > debug1: ssh_rsa_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: > external-keyx,gssapi,publickey,password,keyboard-interactive > debug1: next auth method to try is external-keyx > debug1: authentications that can continue: > external-keyx,gssapi,publickey,password,keyboard-interactive > debug1: next auth method to try is gssapi > debug1: authentications that can continue: > external-keyx,gssapi,publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: try privkey: /home/username/.ssh/identity > debug1: try privkey: /home/username/.ssh/id_rsa > debug1: try privkey: /home/username/.ssh/id_dsa > debug1: next auth method to try is keyboard-interactive > debug1: authentications that can continue: > external-keyx,gssapi,publickey,password,keyboard-interactive > debug1: next auth method to try is password > username@hostname's password: > debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) > debug1: ssh-userauth2 successful: method password > debug1: channel 0: new [client-session] > debug1: send channel open 0 > debug1: Entering interactive session. > debug1: ssh_session2_setup: id 0 > debug1: channel request 0: shell > debug1: channel 0: open confirm rwindow 0 rmax 16384 > Last login: Fri Mar 22 12:38:15 2002 from hostname.domain.com > Linux 2.4.5. > > > Output of kinit: > > > kinit > Password for username@REALM: > kinit(v5): No credentials cache found when initializing cache > > > Output of klist: > > > klist > klist: No credentials cache found (ticket cache FILE:) > > > Kerberos 4 ticket cache: /tmp/tktXXXX > klist: You have no tickets cached > > > Any ideas ? > > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ********************************************************************* > Disclaimer: The information in this e-mail and any attachments is > confidential / privileged. It is intended solely for the addressee or > addressees. If you are not the addressee indicated in this message, you may > not copy or deliver this message to anyone. In such case, you should destroy > this message and kindly notify the sender by reply email. Please advise > immediately if you or your employer does not consent to Internet email for > messages of this kind. > ********************************************************************* > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
