ssh problems
Matias C. Szmulewiez
matiassz at uolsinectis.com.ar
Mon Jun 3 14:54:13 EDT 2002
sorry...
In the krb5kdc.log:
Jun 03 15:34:56 ids krb5kdc[1239](info): TGS_REQ (2 etypes {16 1})
172.0.0.12(88): ISSUE: authtime 1023129282, etypes {rep=16 tkt=16 ses=16},
matias at FOOBAR.ORG for host/matiassz.hq.foobar.org at FOOBAR.ORG
bye
"Matias C. Szmulewiez" wrote:
> I add the principals in the KDC, later in the kadmin (in the host matias)
> I added the line "ktadd host/matias.hq.foobar.org"
>
> delorean:/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: matias at FOOBAR.ORG
>
> Valid starting Expires Service principal
> 06/03/02 15:31:47 06/03/02 23:31:47 krbtgt/FOOBAR.ORG at FOOBAR.ORG
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> delorean:/etc#
>
> and the ssh -vvv 172.0.0.12
>
> OpenSSH_3.0.2p1 Debian 3.0.2p1-7, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Seeding random number generator
> debug1: Rhosts Authentication disabled, originating port will not be trusted.
>
> debug1: restore_uid
> debug1: ssh_connect: getuid 0 geteuid 0 anon 1
> debug1: Connecting to 172.0.0.12 [172.0.0.12] port 22.
> debug1: temporarily_use_uid: 0/0 (e=0)
> debug1: restore_uid
> debug1: temporarily_use_uid: 0/0 (e=0)
> debug1: restore_uid
> debug1: Connection established.
> debug1: read PEM private key done: type DSA
> debug1: read PEM private key done: type RSA
> debug1: identity file /root/.ssh/identity type 0
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1
> Debian 3.0.2p1-7
> debug1: match: OpenSSH_3.0.2p1 Debian 3.0.2p1-7 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 Debian 3.0.2p1-7
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
>
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
>
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 121/256
> debug1: bits set: 1551/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 9
> debug1: Host '172.0.0.12' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:9
> debug1: bits set: 1653/3191
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug3: preferred
> external-keyx,gssapi,publickey,keyboard-interactive,password
> debug3: authmethod_lookup external-keyx
> debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled external-keyx
> debug1: next auth method to try is external-keyx
> debug2: userauth_external
> debug2: we sent a external-keyx packet, wait for reply
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi
> debug1: next auth method to try is gssapi
> debug2: we sent a gssapi packet, wait for reply
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: try privkey: /root/.ssh/id_rsa
> debug3: no such identity: /root/.ssh/id_rsa
> debug1: try privkey: /root/.ssh/id_dsa
> debug3: no such identity: /root/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
>
> In the krb5kdc.log:
>
> Jun 03 15:34:56 ids krb5kdc[1239](info): TGS_REQ (2 etypes {16 1})
> 172.0.0.12(88): ISSUE: authtime 1023129282, etypes {rep=16 tkt=16 ses=16},
> matias at UOLSINECTIS.COM for host/matiassz.hq.sinectis.com.ar at UOLSINECTIS.COM
>
> and...
> delorean:/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: matias at FOOBAR.ORG
>
> Valid starting Expires Service principal
> 06/03/02 15:34:42 06/03/02 23:34:42 krbtgt/FOOBAR.ORG at FOOBAR.ORG
> 06/03/02 15:34:56 06/03/02 23:34:42 host/matiassz.hq.foobar.org at FOOBAR.ORG
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> Austin Gonyou wrote:
>
> > Yes..that's what I was going to say directly. Also, fqdn or hostnames
> > can cause this as well.
> >
> > On Mon, 2002-06-03 at 12:35, Sam Hartman wrote:
> > > That probably should work. Can you make sure you have
> > > /etc/krb5.keytab with the right principals in it on the host you are
> > > connecting to and also give us the output of ssh -v?
> > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/kerberos
> > --
> > Austin Gonyou
> > Systems Architect, CCNA
> > Coremetrics, Inc.
> > Phone: 512-698-7250
> > email: austin at coremetrics.com
> >
> > "One ought never to turn one's back on a threatened danger and
> > try to run away from it. If you do that, you will double the danger.
> > But if you meet it promptly and without flinching, you will
> > reduce the danger by half."
> > Sir Winston Churchill
> >
> > ------------------------------------------------------------------------
> > Name: signature.asc
> > signature.asc Type: application/pgp-signature
> > Description: This is a digitally signed message part
>
> --
> Matias C. Szmulewiez
> N.O.C.
> UOL-Sinectis S.A.
> TE (+54 011) 4321-9110 int 2501
> Buenos Aires - Argentina
> http://www.uolsinectis.com/
> matiassz at uolsinectis.com
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
--
Matias C. Szmulewiez
N.O.C.
UOL-Sinectis S.A.
TE (+54 011) 4321-9110 int 2501
Buenos Aires - Argentina
http://www.uolsinectis.com/
matiassz at uolsinectis.com
More information about the Kerberos
mailing list