SSH with Kerberos 5 GSSAPI

Srinivas Cheruku csri at sonata-software.com
Fri Mar 22 07:06:07 EST 2002


from the log
debug1: Miscellaneous failure
debug1: Server not found in Kerberos database
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received

"Server not found in the Kerberos Database".
Did you create the service principal for the host and extracted that to the
keytable on that host.

while connecting using ssh give the fqdn of the hostname
$ssh hostname.domain

It should work. Still if it does'nt work then check the KDC log and see
which service principal it is trying to look at.



-----Original Message-----
From: Someone [mailto:please at nospam.net]
Sent: Friday, March 22, 2002 5:14 PM
To: kerberos at mit.edu
Subject: Re: SSH with Kerberos 5 GSSAPI


Srinivas Cheruku wrote:

> Default configuration should work properly. Otherwise you can add the
below
> lines in your sshd configuration file
> 
> GssapiAuthentication yes
> GssapiKeyExchange yes
> GssapiUseSessionCredCache yes
> 
> Also start the client session in the verbose mode and see what is
happening
> by giving
> $ ssh -v hostname
> 
> Also you can check on the KDC log whether it has issued a forwarded TGT.
> 



I have added those lines to sshd_config but it didn't help, here is the 
output of the ssh client:

 > ssh -v hostname
OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be 
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid XXXX geteuid 0 anon 1
debug1: Connecting to tonostix [X.X.X.X] port 22.
debug1: temporarily_use_uid: XXXX/XXXX (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: XXXX/XXXX (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version 
OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
debug1: Miscellaneous failure
debug1: Server not found in Kerberos database
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1558/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'hostname' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts2:104
debug1: bits set: 1569/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is external-keyx
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is gssapi
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/username/.ssh/identity
debug1: try privkey: /home/username/.ssh/id_rsa
debug1: try privkey: /home/username/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is password
username at hostname's password:
debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384
Last login: Fri Mar 22 12:38:15 2002 from hostname.domain.com
Linux 2.4.5.


Output of kinit:

 > kinit
Password for username at REALM:
kinit(v5): No credentials cache found when initializing cache


Output of klist:

 > klist
klist: No credentials cache found (ticket cache FILE:)


Kerberos 4 ticket cache: /tmp/tktXXXX
klist: You have no tickets cached


Any ideas ?



________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************



More information about the Kerberos mailing list