Hi Stefano, you need for each "server" - in your case sshd - on every maschine a Kerberos principal. ssh/....@....
and take a look at your ntp.conf - all of your machines need to have the same time ! Greetings Alex On 04/28/2010 12:09 PM, Stefano Elmopi wrote: > > > Hi, > > I'm trying to perform SSH authentication using Kerberos but I am a > beginner. > The steps I followed are those in this guide: > > http://www.visolve.com/security/ssh_kerberos.php#Configuring_the_Kerberos_environment > > but I definitely made some wrong step and I can not understand where. > My lab is composed of : > server KDC realm.sso1.sociale.it 10.43.165.10 > server SSH ldap2.sso1.sociale.it 10.43.165.36 > client SSH my machine MacOSX 10.43.130.100 > > servers are both on the DNS. > > ############################################### > On server KDC: > > cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = REALM.SSO1.SOCIALE.IT > default_keytab_name = FILE:/etc/krb5.keytab > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > REALM.SSO1.SOCIALE.IT = { > kdc = realm.sso1.sociale.it:88 > admin_server = realm.sso1.sociale.it:749 > default_domain = sso1.sociale.it > } > > [domain_realm] > realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > ------------------------------------------------------- > > kadmin: listprincs > K/m...@realm.sso1.sociale.it > admin/ad...@realm.sso1.sociale.it > host/ldap2.sso1.sociale...@realm.sso1.sociale.it > kadmin/ad...@realm.sso1.sociale.it > kadmin/chang...@realm.sso1.sociale.it > kadmin/hist...@realm.sso1.sociale.it > kadmin/realm.sso1.sociale...@realm.sso1.sociale.it > krbtgt/realm.sso1.sociale...@realm.sso1.sociale.it > pres...@realm.sso1.sociale.it > ############################################### > > ############################################### > On the server SSH > > cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = REALM.SSO1.SOCIALE.IT > default_keytab_name = FILE:/etc/krb5.keytab > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > REALM.SSO1.SOCIALE.IT = { > kdc = realm.sso1.sociale.it:88 > admin_server = realm.sso1.sociale.it:749 > default_domain = sso1.sociale.it > } > > [domain_realm] > realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT > > [appdefaults] > pam = { > debug = true > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > ------------------------------------------------------- > > kadmin: ktadd -k /etc/krb5.keytab > host/ldap2.sso1.sociale...@realm.sso1.sociale.it > > ------------------------------------------------------- > > cat /etc/ssh/sshd_config > # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > > # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin > > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options change a > # default value. > > #Port 22 > #Protocol 2,1 > Protocol 2 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 1h > #ServerKeyBits 768 > > # Logging > # obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > SyslogFacility AUTHPRIV > #LogLevel INFO > LogLevel DEBUG3 > > # Authentication: > > #LoginGraceTime 2m > #PermitRootLogin yes > #StrictModes yes > #MaxAuthTries 6 > > #RSAAuthentication yes > #PubkeyAuthentication yes > #AuthorizedKeysFile .ssh/authorized_keys > > # For this to work you will also need host keys in /etc/ssh/ > ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > #PermitEmptyPasswords no > PasswordAuthentication yes > > # Change to no to disable s/key passwords > #ChallengeResponseAuthentication yes > ChallengeResponseAuthentication no > > # Kerberos options > #KerberosAuthentication no > KerberosAuthentication yes > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > > # GSSAPI options > #GSSAPIAuthentication no > GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > GSSAPICleanupCredentials yes > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication mechanism. > # Depending on your PAM configuration, this may bypass the setting of > # PasswordAuthentication, PermitEmptyPasswords, and > # "PermitRootLogin without-password". If you just want the PAM account > and > # session checks to run without PAM authentication, then enable this > but set > # ChallengeResponseAuthentication=no > UsePAM no > ## UsePAM yes > > # Accept locale-related environment variables > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY > LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL > #AllowTcpForwarding yes > #GatewayPorts no > #X11Forwarding no > X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #TCPKeepAlive yes > #UseLogin no > #UsePrivilegeSeparation yes > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #ShowPatchLevel no > #UseDNS yes > #PidFile /var/run/sshd.pid > #MaxStartups 10 > #PermitTunnel no > #ChrootDirectory none > > # no default banner path > #Banner /some/path > > # override default of no subsystems > Subsystem sftp /usr/libexec/openssh/sftp-server > ############################################### > > ############################################### > > cat /Library/Preferences/edu.mit.Kerberos > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = REALM.SSO1.SOCIALE.IT > default_keytab_name = FILE:/etc/krb5.keytab > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > REALM.SSO1.SOCIALE.IT = { > kdc = realm.sso1.sociale.it:88 > admin_server = realm.sso1.sociale.it:749 > default_domain = sso1.sociale.it > } > > [domain_realm] > realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT > > [appdefaults] > pam = { > debug = true > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > ############################################### > > From my machine I do: > > kinit preside > Please enter the password for pres...@realm.sso1.sociale.it: > > klist > Kerberos 5 ticket cache: 'API:Initial default ccache' > Default principal: pres...@realm.sso1.sociale.it > > Valid Starting Expires Service Principal > 04/28/10 11:32:52 04/29/10 11:32:52 > krbtgt/realm.sso1.sociale...@realm.sso1.sociale.it > renew until 04/28/10 11:32:52 > > But when I do > > ssh pres...@ldap2.sso1.sociale.it > > the operation is not good, asks me the password. > if I do it again: > > klist > Kerberos 5 ticket cache: 'API:Initial default ccache' > Default principal: pres...@realm.sso1.sociale.it > > Valid Starting Expires Service Principal > 04/28/10 11:32:52 04/29/10 11:32:52 > krbtgt/realm.sso1.sociale...@realm.sso1.sociale.it > renew until 04/28/10 11:32:52 > 04/28/10 11:36:26 04/29/10 11:32:52 host/ldap2.sso1.sociale.it@ > renew until 04/28/10 11:32:52 > > On the server SSH, in the log file /var/log/secure, the lines that I > think are significant are: > > Apr 28 11:15:59 ldap2 sshd[4375]: debug1: userauth-request for user > preside service ssh-connection method none > Apr 28 11:15:59 ldap2 sshd[4375]: debug1: attempt 0 failures 0 > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow entering > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering: > type 7 > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow: waiting > for MONITOR_ANS_PWNAM > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking > request 7 > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive_expect > entering: type 8 > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive entering > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: auth_shadow_acctexpired: > today 14727 sp_expire -1 days left -14728 > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: account expiration disabled > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow: > sending MONITOR_ANS_PWNAM: 1 > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_send entering: > type 8 > Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request: > setting up authctxt for preside > Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 7 used once, > disabling now > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authserv entering > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_receive entering > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering: > type 3 > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authrole entering > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking > request 3 > Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering: > type 4 > Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_authserv: > service=ssh-connection, style= > Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request: try > method none > Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 3 used once, > disabling now > Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user > preside service ssh-connection method gssapi-with-mic > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering > Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 1 failures 1 > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking > request 4 > Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try > method gssapi-with-mic > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_answer_authrole: role= > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering: > type 38 > Apr 28 11:16:00 ldap2 sshd[4374]: debug2: monitor_read: 4 used once, > disabling now > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect > entering: type 39 > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking > request 38 > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering: > type 39 > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: Normalising mapped IPv4 in > IPv6 address > Apr 28 11:16:00 ldap2 sshd[4375]: Postponed gssapi-with-mic for > preside from 10.43.130.100 port 50310 ssh2 > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering: > type 40 > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect > entering: type 41 > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking > request 40 > Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering > Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Unspecified GSS failure. > Minor code may provide more information\nUnknown code krb5 144\n > Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Got no client credentials > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering: > type 41 > Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering > Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user > preside service ssh-connection method gssapi-with-mic > Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 2 failures 2 > Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try > method gssapi-with-mic > Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user > preside service ssh-connection method gssapi-with-mic > Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 3 failures 3 > Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try > method gssapi-with-mic > Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user > preside service ssh-connection method publickey > Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 4 failures 4 > Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try > method publickey > Apr 28 11:16:01 ldap2 sshd[4375]: debug1: test whether pkalg/pkblob > are acceptable > > > On the server KDC, in the log file /var/log/krb5kdc.log I have the > following line the first time > I try to connect after I've done kinit : > > realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 10.43.130.100: ISSUE: authtime 1272447967, etypes {rep=16 > tkt=16 ses=16}, pres...@realm.sso1.sociale.it for > host/ldap2.sso1.sociale...@realm.sso1.sociale.it > > If after the first time, I try to connect again and when the server > asks me for my password, > I block the transaction, in the log file do not see anything > but if I enter the password in the file log I have: > > realm.sso1.sociale.it krb5kdc[2546](info): AS_REQ (12 etypes {18 17 16 > 23 1 3 2 11 10 15 12 13}) 10.43.165.36: ISSUE: authtime 1272448910, > etypes {rep=16 tkt=16 ses=16}, pres...@realm.sso1.sociale.it for > krbtgt/realm.sso1.sociale...@realm.sso1.sociale.it > realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 10.43.165.36: ISSUE: authtime 1272448910, etypes {rep=16 > tkt=16 ses=16}, pres...@realm.sso1.sociale.it for > host/ldap2.sso1.sociale...@realm.sso1.sociale.it > > someone help me know....... I'm going crazy > Thanks > > > > > > > Ing. Stefano Elmopi > Gruppo Darco - Resp. ICT Sistemi > Via Ostiense 131/L Corpo B, 00154 Roma > > cell. 3466147165 > tel. 0657060500 > email:stefano.elm...@sociale.it > > "Ai sensi e per effetti della legge sulla tutela della riservatezza > personale > (D.lgs n. 196/2003), questa @mail e' destinata unicamente alle > persone sopra > indicate e le informazioni in essa contenute sono da considerarsi > strettamente > riservate. E' proibito leggere, copiare, usare o diffondere il > contenuto della > presente @mail senza autorizzazione. Se avete ricevuto questo > messaggio per > errore, siete pregati di rispedire la stessa al mittente. Grazie" > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Alexander Luedtke Systemadministrator Adresse: TUM - Garching Boltzmannstr. 3 85748 Garching b. Muenchen Lehrstuhl: I20 - Frau Prof. Eckert Zimmer: 01.08.036 Tel: ++49 (89) 289 - 18039 Fax: ++49 (89) 289 - 18579 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
