ssh problems

Matias C. Szmulewiez matiassz at uolsinectis.com.ar
Mon Jun 3 14:42:14 EDT 2002 

I add the principals in the KDC, later in the kadmin (in the host matias)
I added the line "ktadd host/matias.hq.foobar.org"

delorean:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: matias at FOOBAR.ORG

Valid starting     Expires            Service principal
06/03/02 15:31:47  06/03/02 23:31:47  krbtgt/FOOBAR.ORG at FOOBAR.ORG

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
delorean:/etc#

and the ssh -vvv 172.0.0.12

OpenSSH_3.0.2p1 Debian 3.0.2p1-7, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to 172.0.0.12 [172.0.0.12] port 22.
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /root/.ssh/identity type 0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1
Debian 3.0.2p1-7
debug1: match: OpenSSH_3.0.2p1 Debian 3.0.2p1-7 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 Debian 3.0.2p1-7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 121/256
debug1: bits set: 1551/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 9
debug1: Host '172.0.0.12' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:9
debug1: bits set: 1653/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug3: start over, passed a different list
external-keyx,gssapi,publickey,password,keyboard-interactive
debug3: preferred
external-keyx,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup external-keyx
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled external-keyx
debug1: next auth method to try is external-keyx
debug2: userauth_external
debug2: we sent a external-keyx packet, wait for reply
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi
debug1: next auth method to try is gssapi
debug2: we sent a gssapi packet, wait for reply
debug1: authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: try privkey: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

 In the krb5kdc.log:

Jun 03 15:34:56 ids krb5kdc[1239](info): TGS_REQ (2 etypes {16 1})
172.0.0.12(88): ISSUE: authtime 1023129282, etypes {rep=16 tkt=16 ses=16},
matias at UOLSINECTIS.COM for host/matiassz.hq.sinectis.com.ar at UOLSINECTIS.COM


and...
delorean:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: matias at FOOBAR.ORG

Valid starting     Expires            Service principal
06/03/02 15:34:42  06/03/02 23:34:42  krbtgt/FOOBAR.ORG at FOOBAR.ORG
06/03/02 15:34:56  06/03/02 23:34:42  host/matiassz.hq.foobar.org at FOOBAR.ORG

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached




Austin Gonyou wrote:

> Yes..that's what I was going to say directly. Also, fqdn or hostnames
> can cause this as well.
>
> On Mon, 2002-06-03 at 12:35, Sam Hartman wrote:
> > That probably should work.  Can you make sure you have
> > /etc/krb5.keytab with the right principals in it on the host you are
> > connecting to and also give us the output of ssh -v?
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> --
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at coremetrics.com
>
> "One ought never to turn one's back on a threatened danger and
> try to run away from it. If you do that, you will double the danger.
> But if you meet it promptly and without flinching, you will
> reduce the danger by half."
> Sir Winston Churchill
>
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part

--
Matias C. Szmulewiez
N.O.C.
UOL-Sinectis S.A.
TE (+54 011) 4321-9110 int 2501
Buenos Aires - Argentina
http://www.uolsinectis.com/
matiassz at uolsinectis.com

More information about the Kerberos mailing list