Hans Are you attempting Kerberos based password authentication or single sign on? Could also give the sshd trace (-ddd)?
Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sand...@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] Namens Hans van Zijst Verzonden: maandag 15 juni 2009 10:04 Aan: kerberos@mit.edu Onderwerp: Problem: passwordless SSH-login with Kerberos doesn't work Hi, We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well. I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password. Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :) A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory: host/server.staff.xxxxx...@staff.xxxxx.nl host/client.staff.xxxxx...@staff.xxxxx.nl and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides. Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful. This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse map) and the name and IP address of the AD server is in /etc/hosts. This is the SSH debug log when I try to connect: -----[ ssh client log ]----- ssh -vvvK thisu...@server.staff.xxxxx.nl OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22. debug1: Connection established. debug1: identity file /home/thisuser/.ssh/identity type -1 debug1: identity file /home/thisuser/.ssh/id_rsa type -1 debug1: identity file /home/thisuser/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug2: fd 3 setting O_NONBLOCK debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==,diffie-hellman-group-exchange-sha256, gss-gex-sha1-toWM5Slw5Ew8Mqkay+diffie-hellman-group-exchange-sha1,diffie gss-gex-sha1-toWM5Slw5Ew8Mqkay+-hellman-group14-sha1,diffie-hellman-grou gss-gex-sha1-toWM5Slw5Ew8Mqkay+p1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 506/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key. debug1: Found key in /home/thisuser/.ssh/known_hosts:3 debug2: bits set: 528/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/thisuser/.ssh/identity ((nil)) debug2: key: /home/thisuser/.ssh/id_rsa ((nil)) debug2: key: /home/thisuser/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/thisuser/.ssh/identity debug3: no such identity: /home/thisuser/.ssh/identity debug1: Trying private key: /home/thisuser/.ssh/id_rsa debug3: no such identity: /home/thisuser/.ssh/id_rsa debug1: Trying private key: /home/thisuser/.ssh/id_dsa debug3: no such identity: /home/thisuser/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). ----- ----- And here's the log (at DEBUG level) of the SSH server: -----[ ssh server log ]----- debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 debug1: Forked child 2475. debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 35195 debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug1: PAM: initializing for "thisuser" debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" debug1: PAM: setting PAM_TTY to "ssh" Failed none for thisuser from 10.115.193.8 port 35195 ssh2 debug1: Unspecified GSS failure. Minor code may provide more information\nNo principal in keytab matches desired name\n debug1: do_cleanup debug1: PAM: cleanup ----- ----- This is my SSH config: -----[ /etc/ssh/sshd_config ]----- # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH #LogLevel INFO LogLevel DEBUG # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options KerberosAuthentication yes #KerberosGetAFSToken no KerberosOrLocalPasswd no KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes ----- ----- I configured /etc/krb5.conf as follows: -----[ /etc/krb5.conf ]----- [logging] default = FILE:/var/log/krb5-lib.log kdc = FILE:/var/log/krb5-kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAFF.XXXXX.NL default_keytab_name = FILE:/etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] STAFF.XXXXX.NL = { kdc = zbdc01 admin_server = zbdc01 } [domain_realm] .staff.xxxxx.nl = STAFF.XXXXX.NL staff.xxxxx.nl = STAFF.XXXXX.NL [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = true } ----- ----- Kind regards, Hans van Zijst ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos