Ssh trouble with forwarding

Matthijs Mohlmann matthijs at active2.homelinux.org
Mon Sep 1 14:25:30 EDT 2003


ey,

I have trouble with ssh en forwarding.

First i get a ticket from my KerberosV server. With the following
command:
matthijs at Server:~$ kinit
Password for matthijs at ACTIVE2.HOMELINUX.ORG:
matthijs at Server:~$

Then i get to see if i have forwardable ticket:
matthijs at Server:~$ klist -5 -f
Default principal: matthijs at ACTIVE2.HOMELINUX.ORG
 
Valid starting     Expires            Service principal
09/01/03 20:05:06  09/02/03 06:05:05 
krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG
        Flags: FPIA
matthijs at Server:~$

This looks oke.

Now when i try to login to my ssh service with the following command:
matthijs at Server:~$ ssh -A -K active2.active2.homelinux.org
Password:

I don't want that password prompt. My ticket is enough to authenticate
me.

When i now do some debugging:
Active2:~# ssh -d -f /etc/ssh/sshd_config
17612: debug1: sshd version OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1
17612: debug1: read PEM private key done: type RSA
17612: debug1: private host key: #0 type 1 RSA
17612: debug1: read PEM private key done: type DSA
17612: debug1: private host key: #1 type 2 DSA
17612: debug1: Bind to port 22 on 0.0.0.0.
17612: Server listening on 0.0.0.0 port 22.
17612: debug1: Server will not fork when running in debugging mode.
17612: Connection from 192.168.0.7 port 2408
17612: debug1: Client protocol version 2.0; client software version
OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1 Debian_krb5
3.6.1p2-1
17612: debug1: match: OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 Debian_krb5
3.6.1p2-1 Debian_krb5 3.6.1p2-1 pat OpenSSH*
17612: Enabling compatibility mode for protocol 2.0
17612: debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian_krb5
3.4p1-0woody1
17612: debug1: list_hostkey_types: ssh-rsa,ssh-dss
17612: debug1: Miscellaneous failure
17612: debug1: No principal in keytab matches desired name

What does this mean ? I have a
host/active2.active2.homelinux.org at ACTIVE2.HOMELINUX.ORG in my
/etc/krb5.keytab on the ssh-server. I have also a ssh service key in my
keytab (ssh/active2.active2.homelinux.org at ACTIVE2.HOMELINUX.ORG)

This is my output of klist -keK
Active2:~# klist -keK
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   7 host/active2.active2.homelinux.org at ACTIVE2.HOMELINUX.ORG (DES cbc
mode with CRC-32)  (0x1fb95d85672ce037)
   5 ssh/active2.active2.homelinux.org at ACTIVE2.HOMELINUX.ORG (DES cbc
mode with CRC-32)  (0xf1fb617a1acb4549)
   7 host/active2.active2.homelinux.org at ACTIVE2.HOMELINUX.ORG (Triple
DES cbc mode with HMAC/sha1) 
(0xef91a2327aa7bcfdd694c431861361d534c8e646a7a808b0)
   5 ssh/active2.active2.homelinux.org at ACTIVE2.HOMELINUX.ORG (Triple DES
cbc mode with HMAC/sha1) 
(0xb5bc7367fb7f0d9e52f75801fe1ab3e3fd29dc0bc11a57f7)
Active2:~#

17612: debug1: SSH2_MSG_KEXINIT sent
17612: debug1: SSH2_MSG_KEXINIT received
17612: debug1: kex: client->server aes128-cbc hmac-md5 none
17612: debug1: kex: server->client aes128-cbc hmac-md5 none
17612: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
17612: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
17612: debug1: dh_gen_key: priv key bits set: 133/256
17612: debug1: bits set: 1588/3191
17612: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
17612: debug1: bits set: 1612/3191
17612: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
17612: debug1: kex_derive_keys
17612: debug1: newkeys: mode 1
17612: debug1: SSH2_MSG_NEWKEYS sent
17612: debug1: waiting for SSH2_MSG_NEWKEYS
17612: debug1: newkeys: mode 0
17612: debug1: SSH2_MSG_NEWKEYS received
17612: debug1: KEX done
17612: debug1: userauth-request for user matthijs service ssh-connection
method none
17612: debug1: attempt 0 failures 0
17612: debug1: Starting up PAM with username "matthijs"
17612: debug1: PAM setting rhost to "server.active2.homelinux.org"
17612: Failed none for matthijs from 192.168.0.7 port 2408 ssh2
17612: debug1: userauth-request for user matthijs service ssh-connection
method external-keyx
17612: debug1: attempt 1 failures 1
17612: debug1: No suitable client data
17612: Failed external-keyx for matthijs from 192.168.0.7 port 2408 ssh2
17612: debug1: userauth-request for user matthijs service ssh-connection
method gssapi
17612: debug1: attempt 2 failures 2
17612: debug1: Miscellaneous failure
17612: debug1: No principal in keytab matches desired name
17612: Failed gssapi for matthijs from 192.168.0.7 port 2408 ssh2
17612: debug1: userauth-request for user matthijs service ssh-connection
method gssapi
17612: debug1: attempt 3 failures 3
17612: Failed gssapi for matthijs from 192.168.0.7 port 2408 ssh2
17612: debug1: userauth-request for user matthijs service ssh-connection
method keyboard-interactive
17612: debug1: attempt 4 failures 4
17612: debug1: keyboard-interactive devs
17612: debug1: auth2_challenge: user=matthijs devs=
17612: debug1: kbdint_alloc: devices ''
17612: Connection closed by 192.168.0.7
17612: debug1: Calling cleanup 0x8054b88(0x0)
17612: debug1: Calling cleanup 0x806ee3c(0x0)
Active2:~#

And on the client the following:
matthijs at Server:~$ ssh -A -K -v active2.active2.homelinux.org
OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1 Debian_krb5
3.6.1p2-1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: Connecting to active2.active2.homelinux.org [192.168.0.2] port
22.
debug1: Connection established.
debug1: identity file /home/users/matthijs/.ssh/identity type -1
debug1: identity file /home/users/matthijs/.ssh/id_rsa type -1
debug1: identity file /home/users/matthijs/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1
debug1: match: OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1 pat
OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian_krb5
3.6.1p2-1 Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1
debug1: Mechanism encoded as toWM5Slw5Ew8Mqkay+al2g==
debug1: Mechanism encoded as A/vxljAEU54gt9a48EiANQ==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'active2.active2.homelinux.org' is known and matches the
RSA host key.
debug1: Found key in /home/users/matthijs/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: Next authentication method: external-keyx
debug1: Authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: Next authentication method: gssapi
debug1: Authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: Authentications that can continue:
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/users/matthijs/.ssh/identity
debug1: Trying private key: /home/users/matthijs/.ssh/id_rsa
debug1: Trying private key: /home/users/matthijs/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
 
matthijs at Server:~$

I am using protocol 2 of the ssh version.

I am a little confused about this. I've now searched two whole days and
i couldn't find it. It used to work.

I think this is enough log :)

You can get more information if you need.



More information about the Kerberos mailing list