SSH as root with different principal SOLVED

Lukas Kubin kubin at opf.slu.cz
Thu Jul 31 09:31:22 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to everybody who helped me to solve it. The only thing I didn't
understand first was to add the host principal's key of the server I
wanted to connect to to /etc/krb5.keytab on that server.
What helped me most was to run the sshd daemon with highest debug (ie. the
- -ddd parameter).
Thank you again.

lukas

On Thu, 31 Jul 2003, Lukas Kubin wrote:

> On Thu, 31 Jul 2003, Vladimir Terziev wrote:
>
> >
> >   Your ssh client even has not tryed to use kerberos. I have the following questions:
> >
> > 1. Did you make `kinit' before ssh? You have to get a ticket before try kerbelized ssh.
>
> Yes, I did.
>
> > 2. Would you supply the result from "ldd `which ssh`" ?
>
> libresolv.so.2 => /lib/libresolv.so.2 (0x4001b000)
> libkrb4.so.2 => /usr/lib/libkrb4.so.2 (0x4002c000)
> libutil.so.1 => /lib/libutil.so.1 (0x40048000)
> libz.so.1 => /usr/lib/libz.so.1 (0x4004b000)
> libnsl.so.1 => /lib/libnsl.so.1 (0x40058000)
> libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x4006b000)
> libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4015c000)
> libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4016e000)
> libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x401cc000)
> libcom_err.so.2 => /lib/libcom_err.so.2 (0x401ec000)
> libc.so.6 => /lib/libc.so.6 (0x401ef000)
> libdes425.so.3 => /usr/lib/libdes425.so.3 (0x402ff000)
> libdl.so.2 => /lib/libdl.so.2 (0x40303000)
> /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>
> Thanks.
>
> lukas
>
> >
> > 	Vlady
> >
> >
> > On Thu, 31 Jul 2003 11:33:42 +0200 (CEST)
> > Lukas Kubin <kubin at opf.slu.cz> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On Thu, 31 Jul 2003, Vladimir Terziev wrote:
> > >
> > > >
> > > >   Please supply the full debug output from `ssh -v' and I'll try to figure out the problem.
> > > >
> > > >
> > > > 	Vlady
> > >
> > > OK, thank you. The output follows:
> > >
> > > OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1 Debian_krb5
> > > 3.6.1p2-1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
> > > debug1: Reading configuration data /etc/ssh/ssh_config
> > > debug1: Rhosts Authentication disabled, originating port will not be
> > > trusted.
> > > debug1: Connecting to <deleted> [<deleted>] port 22.
> > > debug1: Connection established.
> > > debug1: identity file /home/lukas/.ssh/identity type -1
> > > debug1: identity file /home/lukas/.ssh/id_rsa type 1
> > > debug1: identity file /home/lukas/.ssh/id_dsa type -1
> > > debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1
> > > Debian_krb5 3.4p1-0woody1
> > > debug1: match: OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1 pat
> > > OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*
> > > debug1: Enabling compatibility mode for protocol 2.0
> > > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1
> > > Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1
> > > debug1: Mechanism encoded as toWM5Slw5Ew8Mqkay+al2g==
> > > debug1: Mechanism encoded as A/vxljAEU54gt9a48EiANQ==
> > > debug1: SSH2_MSG_KEXINIT sent
> > > debug1: SSH2_MSG_KEXINIT received
> > > debug1: kex: server->client aes128-cbc hmac-md5 none
> > > debug1: kex: client->server aes128-cbc hmac-md5 none
> > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > > debug1: Host '<deleted>' is known and matches the RSA host key.
> > > debug1: Found key in /home/lukas/.ssh/known_hosts:19
> > > debug1: ssh_rsa_verify: signature correct
> > > debug1: SSH2_MSG_NEWKEYS sent
> > > debug1: expecting SSH2_MSG_NEWKEYS
> > > debug1: SSH2_MSG_NEWKEYS received
> > > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > debug1: Next authentication method: external-keyx
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > debug1: Next authentication method: gssapi
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > debug1: Next authentication method: publickey
> > > debug1: Trying private key: /home/lukas/.ssh/identity
> > > debug1: Offering public key: /home/lukas/.ssh/id_rsa
> > > debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x808bb28 hint
> > > 1
> > > debug1: PEM_read_PrivateKey failed
> > > debug1: read PEM private key done: type <unknown>
> > > Enter passphrase for key '/home/lukas/.ssh/id_rsa':
> > > debug1: Trying private key: /home/lukas/.ssh/id_dsa
> > > debug1: Next authentication method: keyboard-interactive
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > debug1: Next authentication method: password
> > > root@<deleted>'s password:
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > Permission denied, please try again.
> > > root@<deleted>'s password:
> > > debug1: Authentications that can continue:
> > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > Permission denied, please try again.
> > > root@<deleted>'s password:
> > > Received disconnect from <deleted>: 2: Too many authentication failures
> > > for root
> > > debug1: Calling cleanup 0x8061400(0x0)
> > >
> > >
> > > >
> > > > On Thu, 31 Jul 2003 09:37:29 +0200 (CEST)
> > > > Lukas Kubin <kubin at opf.slu.cz> wrote:
> > > >
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > I tried it but it didn't work. I have
> > > > >
> > > > > 1. created .k5login file in the root's home at remote server and put
> > > > > myrealusernam at MYREALM there
> > > > > 2. used the command "ssh -v root at theremoteserver"
> > > > >
> > > > > But the server still wants me to authenticate using public key or password
> > > > > only. This is part of what it returned with the "-v" option:
> > > > >
> > > > > ==========
> > > > > debug1: Authentications that can continue:
> > > > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > > > debug1: Next authentication method: external-keyx
> > > > > debug1: Authentications that can continue:
> > > > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > > > debug1: Next authentication method: gssapi
> > > > > debug1: Authentications that can continue:
> > > > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > > > debug1: Authentications that can continue:
> > > > > external-keyx,gssapi,publickey,password,keyboard-interactive
> > > > > debug1: Next authentication method: publickey
> > > > > ==========
> > > > >
> > > > > Both server and client are Debian Linux with kerberized OpenSSH (from the
> > > > > supplied package).
> > > > > What should I try next to make it work?
> > > > > Thank you.
> > > > >
> > > > > lukas
> > > > >
> > > > > On Wed, 30 Jul 2003, Steve Langasek wrote:
> > > > >
> > > > > > On Wed, Jul 30, 2003 at 04:00:28PM +0200, Lukas Kubin wrote:
> > > > > >
> > > > > > > How can I login through SSH to administer a remote server? I mean, I have
> > > > > > > a principal, say "user" and need to authenticate using kerberized SSH to
> > > > > > > become root on the remote server.
> > > > > > > Thank you.
> > > > > >
> > > > > > If using gssapi or krb5 authentication, you would add that principal to
> > > > > > root's .k5login file; acquire a TGT for that user; and run
> > > > > > 'ssh root at server' or 'ssh -l root server'.  This will grant you
> > > > > > Kerberos-based access to the root account.
> > > > > >
> > > > > > --
> > > > > > Steve Langasek
> > > > > > postmodern programmer
> > > > > >
> > > > > >
> > > > >
> > > > > - --
> > > > > Lukas Kubin
> > > > >
> > > > > phone: +420596398285
> > > > > email: kubin at opf.slu.cz
> > > > >
> > > > > Information centre
> > > > > The School of Business Administration in Karvina
> > > > > Silesian University in Opava
> > > > > Czech Republic
> > > > > http://www.opf.slu.cz
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG v1.2.1 (GNU/Linux)
> > > > > Comment: Made with pgp4pine 1.75-6
> > > > >
> > > > > iD8DBQE/KMc/hukdIiZrwu4RAsoAAJ9c2ECgX0L+gobc+mfESo8Y1K6YjwCgigGu
> > > > > 1zdOgKB73w3pXr5yeLvhkjc=
> > > > > =uLna
> > > > > -----END PGP SIGNATURE-----
> > > > >
> > > > >
> > > > > ________________________________________________
> > > > > Kerberos mailing list           Kerberos at mit.edu
> > > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > > >
> > > > >
> > > >
> > > > ________________________________________________
> > > > Kerberos mailing list           Kerberos at mit.edu
> > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > >
> > > >
> > >
> > > - --
> > > Lukas Kubin
> > >
> > > phone: +420596398285
> > > email: kubin at opf.slu.cz
> > >
> > > Information centre
> > > The School of Business Administration in Karvina
> > > Silesian University in Opava
> > > Czech Republic
> > > http://www.opf.slu.cz
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.1 (GNU/Linux)
> > > Comment: Made with pgp4pine 1.75-6
> > >
> > > iD8DBQE/KOJ7hukdIiZrwu4RAqRtAKCD/Y7mRUxRoA6umGKiA5vRTHEcggCeKYdh
> > > 15vZufrH48MITRw8CDIz8Js=
> > > =AyBM
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> > >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
> Lukas Kubin
>
> phone: +420596398285
> email: kubin at opf.slu.cz
>
> Information centre
> The School of Business Administration in Karvina
> Silesian University in Opava
> Czech Republic
> http://www.opf.slu.cz
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ------------ Output from gpg ------------
> gpg: Signature made Thu Jul 31 13:31:51 2003 CEST using DSA key ID 266BC2EE
> gpg: Good signature from "Lukas Kubin <lukas.kubin at permonik.com>"
> gpg:                 aka "Lukas Kubin <kubin at opf.slu.cz>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 5E66 C9C5 E804 3D09 8559  9A37 86E9 1D22 266B C2EE
>
>

- -- 
Lukas Kubin

phone: +420596398285
email: kubin at opf.slu.cz

Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75-6

iD8DBQE/KRovhukdIiZrwu4RAsTsAJ98vvuLDRjWhcNyWdV4l+l18LG47ACfQmjO
fMboCOBw+eVgPeJTbqHldrU=
=IqSf
-----END PGP SIGNATURE-----




More information about the Kerberos mailing list