Hi, I'm trying to set up OpenSSH 3.8.1p1 for use with GSS and Kerberos 5 --- and it works almost fine. There are several FreeBSD 5.2 machines here that run a sshd with GSSAPIAuthentication turned on. Together with GSSAPIAuthentication and GSSAPIDelegateCredentials turned on in ssh_config, I can forward my Kerberos 5 ticket and logon to every machine without having to provide a password. All the FreeBSD machines use Heimdal Kerberos.
However, obtaining a ticket on a FreeBSD machine and forwarding it to
an OS X machine (v10.3.2) with the same ssh/sshd setup fails. The
sshd on the OS X machine justs sits there forever (in select()). On
the other hand, I can forward the tickets obtained on an OS X machine
to a FreeBSD machine without problems.
Here are some debug logs. First, a FreeBSD client (duff) that is
talking to the OS X machine. Which is exactly the case, where
forwarding fails:
,----
| [EMAIL PROTECTED] ~] klist
| Credentials cache: FILE:/tmp/krb5cc_Kd1UdA
| Principal: [EMAIL PROTECTED]
|
| Issued Expires Principal
| Apr 29 15:48:59 Apr 30 16:48:59 krbtgt/[EMAIL PROTECTED]
| Apr 29 15:48:59 Apr 30 16:48:59 [EMAIL PROTECTED]
| [EMAIL PROTECTED] ~] ssh -v -F ~/.ssh/config-gss midgard
| OpenSSH_3.8.1p1, OpenSSL 0.9.7c 30 Sep 2003
| debug1: Reading configuration data
/afs/informatik.uni-tuebingen.de/home/knauel/.ssh/config-gss
| debug1: Connecting to midgard [134.2.12.82] port 22.
| debug1: Connection established.
| debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity
type -1
| debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa type
-1
| debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa type 2
| debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
| debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
| debug1: Enabling compatibility mode for protocol 2.0
| debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
| debug1: SSH2_MSG_KEXINIT sent
| debug1: SSH2_MSG_KEXINIT received
| debug1: kex: server->client aes128-cbc hmac-md5 none
| debug1: kex: client->server aes128-cbc hmac-md5 none
| debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
| debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
| debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
| debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
| debug1: Host 'midgard' is known and matches the RSA host key.
| debug1: Found key in
/afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191
| debug1: ssh_rsa_verify: signature correct
| debug1: SSH2_MSG_NEWKEYS sent
| debug1: expecting SSH2_MSG_NEWKEYS
| debug1: SSH2_MSG_NEWKEYS received
| debug1: SSH2_MSG_SERVICE_REQUEST sent
| debug1: SSH2_MSG_SERVICE_ACCEPT received
| debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
| debug1: Next authentication method: gssapi-with-mic
| debug1: Delegating credentials
| [ Ends here, hangs forever ]
`----
The OS X machine on the other side says:
,----
| %/usr/openssh/sbin/sshd -d -d
| debug2: read_server_config: filename /etc/openssh/sshd_config
| debug1: sshd version OpenSSH_3.8.1p1
| debug1: read PEM private key done: type RSA
| debug1: private host key: #0 type 1 RSA
| debug1: read PEM private key done: type DSA
| debug1: private host key: #1 type 2 DSA
| debug1: Bind to port 22 on ::.
| debug1: Bind to port 22 on 0.0.0.0.
| Server listening on 0.0.0.0 port 22.
| debug1: Server will not fork when running in debugging mode.
| Connection from 134.2.12.76 port 49992
| debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
| debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
| debug1: Enabling compatibility mode for protocol 2.0
| debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
| debug2: Network child is on pid 15624
| debug1: permanently_set_uid: 75/75
| debug1: list_hostkey_types: ssh-rsa,ssh-dss
| debug1: SSH2_MSG_KEXINIT sent
| debug1: SSH2_MSG_KEXINIT received
| debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
| up1-sha1
| debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
| debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
| aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
| debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
| debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL
PROTECTED],hmac-sha1-96,hmac-md5-96
| debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL
PROTECTED],hmac-sha1-96,hmac-md5-96
| debug2: kex_parse_kexinit: none,zlib
| debug2: kex_parse_kexinit: none,zlib
| debug2: kex_parse_kexinit:
| debug2: kex_parse_kexinit:
| debug2: kex_parse_kexinit: first_kex_follows 0
| debug2: kex_parse_kexinit: reserved 0
| debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
| debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
| debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
| debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
| debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL
PROTECTED],hmac-sha1-96,hmac-md5-96
| debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL
PROTECTED],hmac-sha1-96,hmac-md5-96
| debug2: kex_parse_kexinit: none,zlib
| debug2: kex_parse_kexinit: none,zlib
| debug2: kex_parse_kexinit:
| debug2: kex_parse_kexinit:
| debug2: kex_parse_kexinit: first_kex_follows 0
| debug2: kex_parse_kexinit: reserved 0
| debug2: mac_init: found hmac-md5
| debug1: kex: client->server aes128-cbc hmac-md5 none
| debug2: mac_init: found hmac-md5
| debug1: kex: server->client aes128-cbc hmac-md5 none
| debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
| debug2: monitor_read: 0 used once, disabling now
| debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
| debug2: dh_gen_key: priv key bits set: 122/256
| debug2: bits set: 512/1024
| debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
| debug2: bits set: 517/1024
| debug2: monitor_read: 4 used once, disabling now
| debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
| debug2: kex_derive_keys
| debug2: set_newkeys: mode 1
| debug1: SSH2_MSG_NEWKEYS sent
| debug1: expecting SSH2_MSG_NEWKEYS
| debug2: set_newkeys: mode 0
| debug1: SSH2_MSG_NEWKEYS received
| debug1: KEX done
| debug1: userauth-request for user knauel service ssh-connection method none
| debug1: attempt 0 failures 0
| debug2: monitor_read: 6 used once, disabling now
| debug2: input_userauth_request: setting up authctxt for knauel
| debug2: input_userauth_request: try method none
| debug2: monitor_read: 3 used once, disabling now
| Failed none for knauel from 134.2.12.76 port 49992 ssh2
| Failed none for knauel from 134.2.12.76 port 49992 ssh2
| debug1: userauth-request for user knauel service ssh-connection method
gssapi-with-mic
| debug1: attempt 1 failures 1
| debug2: input_userauth_request: try method gssapi-with-mic
| Postponed gssapi-with-mic for knauel from 134.2.12.76 port 49992 ssh2
| debug1: Got no client credentials
| [ Ends here, hangs forever ]
`----
Here, it's claiming that sshd has received no credentials, which is
what I don't understand.
When I ssh from the OS X machine midgard (which uses MIT Kerberos +
krbafs 1.2) to itself, delagating credentials seems to work fine:
,----
| [...]
| debug1: userauth-request for user knauel service ssh-connection method none
| debug1: attempt 0 failures 0
| debug2: monitor_read: 6 used once, disabling now
| debug2: input_userauth_request: setting up authctxt for knauel
| debug2: input_userauth_request: try method none
| debug2: monitor_read: 3 used once, disabling now
| Failed none for knauel from 134.2.12.82 port 52578 ssh2
| Failed none for knauel from 134.2.12.82 port 52578 ssh2
| debug1: userauth-request for user knauel service ssh-connection method
gssapi-with-mic
| debug1: attempt 1 failures 1
| debug2: input_userauth_request: try method gssapi-with-mic
| Postponed gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
| debug1: Received some client credentials
| Authorized to knauel, krb5 principal [EMAIL PROTECTED] (krb5_kuserok)
| Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
| debug1: monitor_child_preauth: knauel has been authenticated by privileged process
| Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
| debug2: mac_init: found hmac-md5
| debug2: mac_init: found hmac-md5
| debug2: User child is on pid 15835
| debug1: permanently_set_uid: 5324/3010
| debug2: set_newkeys: mode 0
| debug2: set_newkeys: mode 1
| debug1: Entering interactive session for SSH2.
| [...]
`----
The other end:
,----
| [EMAIL PROTECTED] ~] klist -f
| Kerberos 5 ticket cache: 'API:Initial default ccache'
| Default Principal: [EMAIL PROTECTED]
| Valid Starting Expires Service Principal
| 04/29/04 15:47:46 04/30/04 01:47:46 krbtgt/[EMAIL PROTECTED]
| renew until 05/06/04 15:47:46, FPRI
| 04/29/04 15:47:56 04/30/04 01:47:46 [EMAIL PROTECTED]
| renew until 05/06/04 15:47:46, FPRT
| 04/29/04 15:48:05 04/30/04 01:47:46 host/[EMAIL PROTECTED]
| renew until 05/06/04 15:47:46, FPRT
|
| [EMAIL PROTECTED] ~] ssh -v midgard
| OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003
| debug1: Reading configuration data /etc/openssh/ssh_config
| debug1: Connecting to midgard [134.2.12.82] port 22.
| debug1: Connection established.
| debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity
type 0
| debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa type
-1
| debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa type 2
| debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
| debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
| debug1: Enabling compatibility mode for protocol 2.0
| debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
| debug1: SSH2_MSG_KEXINIT sent
| debug1: SSH2_MSG_KEXINIT received
| debug1: kex: server->client aes128-cbc hmac-md5 none
| debug1: kex: client->server aes128-cbc hmac-md5 none
| debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
| debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
| debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
| debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
| debug1: Host 'midgard' is known and matches the RSA host key.
| debug1: Found key in
/afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191
| debug1: ssh_rsa_verify: signature correct
| debug1: SSH2_MSG_NEWKEYS sent
| debug1: expecting SSH2_MSG_NEWKEYS
| debug1: SSH2_MSG_NEWKEYS received
| debug1: SSH2_MSG_SERVICE_REQUEST sent
| debug1: SSH2_MSG_SERVICE_ACCEPT received
| debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
| debug1: Next authentication method: gssapi-with-mic
| debug1: Delegating credentials
| debug1: Delegating credentials
| debug1: Authentication succeeded (gssapi-with-mic).
| debug1: channel 0: new [client-session]
| debug1: Entering interactive session.
`----
Any ideas why this is not working?
-Eric
--
"Excuse me --- Di Du Du Duuuuh Di Dii --- Huh Weeeheeee" (Albert King)
pgp00000.pgp
Description: PGP signature
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
