Good day. My setup: rhel-based distro OpenSSH_8.9p1 sshd kerberos-libs 1.20.1 sssd 2.8.2
Server joined the Windows AD via realm. Authentication from windows client (putty 0.71) via password works well, but GSSAPI fails with error (sshd logs): No credentials were supplied, or the credentials were unavailable or inaccessible\nNo key table entry found matching host/SERVER.domain.local@ Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 [email protected] 4 [email protected] 4 host/[email protected] 4 host/[email protected] 4 host/[email protected] 4 host/[email protected] 4 RestrictedKrbHost/[email protected] 4 RestrictedKrbHost/[email protected] 4 RestrictedKrbHost/[email protected] 4 RestrictedKrbHost/[email protected] $hostname -f SERVER.domain.local $dig +short -x <IP> SERVER.domain.local krb5.conf ======= includedir /etc/krb5.conf.d/ [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 dns_canonicalize_hostname = fallback qualify_shortname = "" default_ccache_name = KEYRING:persistent:%{uid} default_keytab_name = FILE:/etc/krb5.keytab [realms] [domain_realm] Workarounds with sshd_conf GSSAPIStrictAcceptorCheck no or krb5.conf ignore_acceptor_hostname = true work well, but I want to keep a strict hostname check. Well, I have found if I using all-small case hostname all works well : $hostname -f server.domain.local $dig +short -x <IP> server.domain.local Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 [email protected] 2 [email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 RestrictedKrbHost/[email protected] 2 RestrictedKrbHost/[email protected] 2 RestrictedKrbHost/[email protected] 2 RestrictedKrbHost/[email protected] Apr 18 19:37:54 server.domain.local sshd[51224]: Authorized to [email protected], krb5 principal [email protected] (ssh_gssapi_krb5_cmdok) Apr 18 19:37:55 server.domain.local sshd[51224]: Accepted gssapi-with-mic for [email protected] from 10.*.*.* port 57997 ssh2: [email protected] Apr 18 19:37:55 server.domain.local sshd[51224]: pam_unix(sshd:session): session opened for user [email protected](uid=***) by (uid=0) Is it predefined behavior or I don't understand something? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
