On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
> > claer:*:1000:1000:Claer:/home/claer:/bin/ksh
> >
> > Now the next step is to try an authentification with ssh. That's why
> > /etc/login.conf has been modified regarding auth entry :
> >
> > auth-defaults:auth=krb5-or-pwd,passwd:
> >
> > But, when I try to ssh in with -l claer, sshd doesn't seem to find
> > the "claer" passwd entry and I have this line on the kerberos server :
> >
> > May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
> > 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
> > krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
> > database
> >
> > Any hint ?
>
> Did you add your host principal to /etc/kerberosV/krb5.keytab?
Yep. If the "claer" local account is enabled, it's working fine with
Kerberos auth. I can confirm this by watching log files and I even tried
to alter the hashed passwd with vipw to be sure I was not using the
local password.
ypldap + ypbind are working fine :
# tail -n 2 /etc/passwd
_claer:*:1000:1000:Claer:/home/claer:/bin/ksh
+:*:0:0:::/bin/ksh
# getent passwd | tail -n 4
_claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
megami:*:1001:1001:Megami:/home/megami:/bin/ksh
nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh
I started a test ssh server on port 2222 to check. Here are the
interesting debug logs :
debug1: userauth-request for user claer service ssh-connection method none
debug1: attempt 0 failures 0
debug1: unable to get login class: claer
input_userauth_request: invalid user claer
Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2
debug1: userauth-request for user claer service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: userauth-request for user claer service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=claer devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
debug1: userauth-request for user claer service ssh-connection method password
debug1: attempt 3 failures 2
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: Kerberos password authentication failed: Client not found in Kerberos
database
debug1: krb5_cleanup_proc called
Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2
The logextact from authlog :
May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos
database
However, on the kerberos server side, no request have been made to the
"claer" account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Thanks for helping me so far!
Claer
