OpenSSH with w2k kerberos (login problems)

Marc syn_uw at NOSPAM_hotmail.com
Wed Jan 15 11:29:15 EST 2003


Hello,

I have just installed the latest Debian release 3.0r1 for i386 and 
installed all the required Kerberos packages from Debian. I have also 
replaced the normal ssh package with the Debian's ssh-krb5 package, 
which it's version string actually is: "OpenSSH_3.4p1 Debian_krb5 
3.4p1-0woody1".

The reason why using ssh-krb5 is that our users are being authenticated 
by a Windows 2000 domain controller running Kerberos. The entries in 
/etc/passwd and /etc/group are available but the user simply doesn't 
have a password as it's stored in the Windows active directory.

SSHing to the Debian box from another Kerberos enabled box works fine as 
long as the user issued a "kinit" before using ssh. If the user didn't 
do any kinit before and then attemps to use ssh to login to the Debian 
box it will NOT work and that's the problem. I would like this to work 
even if the user didn't do a kinit before. Because for example a user 
login in using PuTTy from a Windows box won't be able to do a kinit.

Here is the output of the SSH daemon when a user tryes to login without 
having issued a kinit before:

451: debug1: sshd version OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1
451: debug1: read PEM private key done: type RSA
451: debug1: private host key: #0 type 1 RSA
451: debug1: read PEM private key done: type DSA
451: debug1: private host key: #1 type 2 DSA
451: debug1: Bind to port 999 on 0.0.0.0.
451: Server listening on 0.0.0.0 port 999.
451: debug1: Server will not fork when running in debugging mode.
451: Connection from 192.168.23.245 port 54996
451: debug1: Client protocol version 2.0; client software version 
OpenSSH_3.1p1
451: debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
451: Enabling compatibility mode for protocol 2.0
451: debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian_krb5 
3.4p1-0woody1
452: debug1: list_hostkey_types: ssh-rsa,ssh-dss
452: debug1: SSH2_MSG_KEXINIT sent
452: debug1: SSH2_MSG_KEXINIT received
452: debug1: kex: client->server aes128-cbc hmac-md5 none
452: debug1: kex: server->client aes128-cbc hmac-md5 none
452: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
452: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
452: debug1: dh_gen_key: priv key bits set: 114/256
452: debug1: bits set: 1640/3191
452: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
452: debug1: bits set: 1569/3191
452: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
452: debug1: kex_derive_keys
452: debug1: newkeys: mode 1
452: debug1: SSH2_MSG_NEWKEYS sent
452: debug1: waiting for SSH2_MSG_NEWKEYS
452: debug1: newkeys: mode 0
452: debug1: SSH2_MSG_NEWKEYS received
452: debug1: KEX done
452: debug1: userauth-request for user username service ssh-connection 
method none
452: debug1: attempt 0 failures 0
451: debug1: Starting up PAM with username "username"
451: debug1: PAM setting rhost to "hostname.domain.tld"
451: Failed none for username from 192.168.23.245 port 54996 ssh2
452: Failed none for username from 192.168.23.245 port 54996 ssh2
452: debug1: userauth-request for user username service ssh-connection 
method external-keyx
452: debug1: attempt 1 failures 1
451: debug1: No suitable client data
451: Failed gssapi for username from 192.168.23.245 port 54996 ssh2
452: Failed external-keyx for username from 192.168.23.245 port 54996 ssh2
452: debug1: userauth-request for user username service ssh-connection 
method gssapi
452: debug1: attempt 2 failures 2
452: Postponed gssapi for username from 192.168.23.245 port 54996 ssh2
452: debug1: userauth-request for user username service ssh-connection 
method keyboard-interactive
452: debug1: attempt 3 failures 2
452: debug1: keyboard-interactive devs
452: debug1: auth2_challenge: user=username devs=
452: debug1: kbdint_alloc: devices ''
452: Failed keyboard-interactive for username from 192.168.23.245 port 
54996 ssh2
452: debug1: userauth-request for user username service ssh-connection 
method password
452: debug1: attempt 4 failures 3
451: debug1: PAM Password authentication for "username" failed[7]: 
Authentication failure
451: Failed password for username from 192.168.23.245 port 54996 ssh2
452: Failed password for username from 192.168.23.245 port 54996 ssh2
452: debug1: userauth-request for user username service ssh-connection 
method password
452: debug1: attempt 5 failures 4
451: debug1: PAM Password authentication for "username" failed[7]: 
Authentication failure
451: Failed password for username from 192.168.23.245 port 54996 ssh2
452: Failed password for username from 192.168.23.245 port 54996 ssh2
452: debug1: userauth-request for user username service ssh-connection 
method password
452: debug1: attempt 6 failures 5
451: debug1: PAM Password authentication for "username" failed[11]: Have 
exhasted maximum number of retries for
service.
451: Failed password for username from 192.168.23.245 port 54996 ssh2
452: Failed password for username from 192.168.23.245 port 54996 ssh2
452: Connection closed by 192.168.23.245
452: debug1: Calling cleanup 0x806ee3c(0x0)
451: debug1: Calling cleanup 0x8054b88(0x0)
451: debug1: Calling cleanup 0x806ee3c(0x0)


Does someone have any idea ? Or can someone help please ?

Many thanks !!

Regards




More information about the Kerberos mailing list