OpenSSH

Michael T. Dean mtdean at thirdcontact.com
Wed Jun 12 18:18:31 EDT 2002 

I'm a Kerberos newbie with the same old "trying to Kerberize OpenSSH" 
question.  I've read FAQ's, newsgroups, and about every resource I could 
find on the net, but still can't get things working right.  I've 
narrowed the problem down to about a million possibilities (due to holes 
in my understanding), and testing them all will take quite a while, so 
I'm asking the experts...

Why do I have to type in my Kerberos password when I ssh to another 
computer.  (I do have a .k5login in my home directory--see details.)

Here's the short description, and the details are shown below:
When I ssh to another computer, it does password authentication. 
However, when I've logged in, OpenSSH has set up my ticket cache for me. 
  When I log out, it cleans up my tickets.  If I change my Kerberos 
password to something different from my "/etc/passwd" password, it will 
only accept my Kerberos password.  Therefore, I know it "knows about" 
Kerberos.  It seems like all it does with Kerberos authentication is use 
it to set up the ticket cache.

Thanks,
Mike Dean

Details: boundary=-----
-----
OpenSSH version (via ssh -V)
OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
Compiled with (on both client and server):
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords 
--with-skey --with-tcp-wrappers --with-kerberos5
-----
/etc/ssh/ssh_config (contains 1 uncommented line):
KerberosAuthentication yes
-----
/etc/ssh/sshd_config (all OpenSSH defaults, except Kerberos section):
KerberosAuthentication yes
KerberosTicketCleanup yes
-----
contents of .k5login (on client and server)
mdean at THIRDCONTACT
-----
output of hostname is FQDN
client: io.thirdcontact
server: europa.thirdcontact
-----
Principals in krb5.keytab
client: host/io.thirdcontact at THIRDCONTACT
server: host/europa.thirdcontact at THIRDCONTACT
-----
output of klist on client:
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mdean at THIRDCONTACT

Valid starting     Expires            Service principal
06/12/02 17:29:27  06/13/02 01:29:27  krbtgt/THIRDCONTACT at THIRDCONTACT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
-----
output of klist on server (after login):
Default principal: mdean at THIRDCONTACT

Valid starting     Expires            Service principal
06/12/02 17:52:13  06/13/02 01:52:13  krbtgt/THIRDCONTACT at THIRDCONTACT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
-----
output from 'sshd -d'
debug1: sshd version OpenSSH_3.2.3p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 172.16.0.5 port 32790
debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 119/256
debug1: bits set: 1584/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1585/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user mdean service ssh-connection method none
debug1: attempt 0 failures 0
debug1: userauth_banner: sent
Failed none for mdean from 172.16.0.5 port 32790 ssh2
debug1: userauth-request for user mdean service ssh-connection method 
keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=mdean devs=
debug1: kbdint_alloc: devices 'skey'
debug1: auth2_challenge_start: trying authentication method 'skey'
Failed keyboard-interactive for mdean from 172.16.0.5 port 32790 ssh2
debug1: userauth-request for user mdean service ssh-connection method 
password
debug1: attempt 2 failures 2
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
Accepted password for mdean from 172.16.0.5 port 32790 ssh2
debug1: Entering interactive session for SSH2.
debug1: fd 3 setting O_NONBLOCK
debug1: fd 7 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/ttyp6
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: fd 4 setting TCP_NODELAY
debug1: channel 0: rfd 9 isatty
debug1: fd 9 setting O_NONBLOCK
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 316
debug1: session_exit_message: session 0 channel 0 pid 316
debug1: channel request 0: exit-status
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: close_write
debug1: channel 0: output open -> closed
debug1: session_close: session 0 pid 316
debug1: session_pty_cleanup: session 0 release /dev/ttyp6
debug1: channel 0: read<=0 rfd 9 len -1
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: channel 0: send close
debug1: channel 0: rcvd close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: server-session, nchannels 1
Connection closed by remote host.
debug1: krb5_cleanup_proc called
Closing connection to 172.16.0.5
-----
Output from 'ssh -v europa.thirdcontact'
OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be 
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to europa.thirdcontact [172.16.12.16] port 22.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/mdean/.ssh/identity type -1
debug1: identity file /home/mdean/.ssh/id_rsa type -1
debug1: identity file /home/mdean/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version 
OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.2.3p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1585/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'europa.thirdcontact' is known and matches the RSA host key.
debug1: Found key in /home/mdean/.ssh/known_hosts:6
debug1: bits set: 1584/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
Welcome to europa.
debug1: authentications that can continue: 
publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/mdean/.ssh/identity
debug1: try privkey: /home/mdean/.ssh/id_rsa
debug1: try privkey: /home/mdean/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: 
publickey,password,keyboard-interactive
debug1: next auth method to try is password
debug1: ssh-userauth2 successful: method password
debug1: fd 5 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Wed Jun 12 17:57:45 2002 from io.thirdcontact

Environment:
   USER=mdean
   LOGNAME=mdean
   HOME=/home/mdean
   PATH=/usr/bin:/bin:/usr/sbin:/sbin
   MAIL=/var/mail/mdean
   SHELL=/bin/bash
   SSH_CLIENT=172.16.0.5 32790 22
   SSH_TTY=/dev/ttyp6
   TERM=xterm-xfree86
   KRB5CCNAME=/tmp/krb5cc_500_4krAie
]0;mdean at europa.thirdcontact: /home/mdean[mdean at europa mdean]$ exit
logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: fd 1 clearing O_NONBLOCK
Connection to europa.thirdcontact closed.
debug1: Transferred: stdin 0, stdout 0, stderr 43 bytes in 1.6 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 27.0
debug1: Exit status 0

More information about the Kerberos mailing list