SSH with Kerberos 5 GSSAPI
Someone
please at nospam.net
Fri Mar 22 07:26:47 EST 2002
Srinivas Cheruku wrote:
> from the log
> debug1: Miscellaneous failure
> debug1: Server not found in Kerberos database
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
>
> "Server not found in the Kerberos Database".
> Did you create the service principal for the host and extracted that to the
> keytable on that host.
>
> while connecting using ssh give the fqdn of the hostname
> $ssh hostname.domain
>
> It should work. Still if it does'nt work then check the KDC log and see
> which service principal it is trying to look at.
Ok so my problem is on the server somehow as it looks. For the
principals the only principal that I created is the host principal
(host/hostname.domain.com at REALM). Do I need anything else for principals
then ?
On the KDC (unfortunately a Win2k AD KDC) I don't see anything special
except pre-authentication failed (next message in this newsgroup). I
know it's crazy using microsoft as KDC but we have to do it like that ;(
Thanks for all your help.
>
>
>
> -----Original Message-----
> From: Someone [mailto:please at nospam.net]
> Sent: Friday, March 22, 2002 5:14 PM
> To: kerberos at mit.edu
> Subject: Re: SSH with Kerberos 5 GSSAPI
>
>
> Srinivas Cheruku wrote:
>
>
>>Default configuration should work properly. Otherwise you can add the
>>
> below
>
>>lines in your sshd configuration file
>>
>>GssapiAuthentication yes
>>GssapiKeyExchange yes
>>GssapiUseSessionCredCache yes
>>
>>Also start the client session in the verbose mode and see what is
>>
> happening
>
>>by giving
>>$ ssh -v hostname
>>
>>Also you can check on the KDC log whether it has issued a forwarded TGT.
>>
>>
>
>
>
> I have added those lines to sshd_config but it didn't help, here is the
> output of the ssh client:
>
> > ssh -v hostname
> OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Seeding random number generator
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: restore_uid
> debug1: ssh_connect: getuid XXXX geteuid 0 anon 1
> debug1: Connecting to tonostix [X.X.X.X] port 22.
> debug1: temporarily_use_uid: XXXX/XXXX (e=0)
> debug1: restore_uid
> debug1: temporarily_use_uid: XXXX/XXXX (e=0)
> debug1: restore_uid
> debug1: Connection established.
> debug1: read PEM private key done: type DSA
> debug1: read PEM private key done: type RSA
> debug1: identity file /home/username/.ssh/identity type -1
> debug1: identity file /home/username/.ssh/id_rsa type -1
> debug1: identity file /home/username/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.0.2p1
> debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
> debug1: Miscellaneous failure
> debug1: Server not found in Kerberos database
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 133/256
> debug1: bits set: 1558/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'hostname' is known and matches the RSA host key.
> debug1: Found key in /home/username/.ssh/known_hosts2:104
> debug1: bits set: 1569/3191
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug1: next auth method to try is external-keyx
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug1: next auth method to try is gssapi
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug1: next auth method to try is publickey
> debug1: try privkey: /home/username/.ssh/identity
> debug1: try privkey: /home/username/.ssh/id_rsa
> debug1: try privkey: /home/username/.ssh/id_dsa
> debug1: next auth method to try is keyboard-interactive
> debug1: authentications that can continue:
> external-keyx,gssapi,publickey,password,keyboard-interactive
> debug1: next auth method to try is password
> username at hostname's password:
> debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
> debug1: ssh-userauth2 successful: method password
> debug1: channel 0: new [client-session]
> debug1: send channel open 0
> debug1: Entering interactive session.
> debug1: ssh_session2_setup: id 0
> debug1: channel request 0: shell
> debug1: channel 0: open confirm rwindow 0 rmax 16384
> Last login: Fri Mar 22 12:38:15 2002 from hostname.domain.com
> Linux 2.4.5.
>
>
> Output of kinit:
>
> > kinit
> Password for username at REALM:
> kinit(v5): No credentials cache found when initializing cache
>
>
> Output of klist:
>
> > klist
> klist: No credentials cache found (ticket cache FILE:)
>
>
> Kerberos 4 ticket cache: /tmp/tktXXXX
> klist: You have no tickets cached
>
>
> Any ideas ?
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> *********************************************************************
> Disclaimer: The information in this e-mail and any attachments is
> confidential / privileged. It is intended solely for the addressee or
> addressees. If you are not the addressee indicated in this message, you may
> not copy or deliver this message to anyone. In such case, you should destroy
> this message and kindly notify the sender by reply email. Please advise
> immediately if you or your employer does not consent to Internet email for
> messages of this kind.
> *********************************************************************
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
>
More information about the Kerberos
mailing list