OpenSSH, GSSAPI and delegating credentials
Douglas E. Engert
deengert at anl.gov
Tue May 11 09:52:16 EDT 2004
Are the tickets forwardable? kinit -f
or klist -f to see flags.
Eric Knauel wrote:
>
> Hi,
>
> I'm trying to set up OpenSSH 3.8.1p1 for use with GSS and Kerberos 5
> --- and it works almost fine. There are several FreeBSD 5.2 machines
> here that run a sshd with GSSAPIAuthentication turned on. Together
> with GSSAPIAuthentication and GSSAPIDelegateCredentials turned on in
> ssh_config, I can forward my Kerberos 5 ticket and logon to every
> machine without having to provide a password. All the FreeBSD
> machines use Heimdal Kerberos.
>
> However, obtaining a ticket on a FreeBSD machine and forwarding it to
> an OS X machine (v10.3.2) with the same ssh/sshd setup fails. The
> sshd on the OS X machine justs sits there forever (in select()). On
> the other hand, I can forward the tickets obtained on an OS X machine
> to a FreeBSD machine without problems.
>
> Here are some debug logs. First, a FreeBSD client (duff) that is
> talking to the OS X machine. Which is exactly the case, where
> forwarding fails:
>
> ,----
> | [knauel at duff ~] klist
> | Credentials cache: FILE:/tmp/krb5cc_Kd1UdA
> | Principal: knauel at INFORMATIK.UNI-TUEBINGEN.DE
> |
> | Issued Expires Principal
> | Apr 29 15:48:59 Apr 30 16:48:59 krbtgt/INFORMATIK.UNI-TUEBINGEN.DE at INFORMATIK.UNI-TUEBINGEN.DE
> | Apr 29 15:48:59 Apr 30 16:48:59 afs at INFORMATIK.UNI-TUEBINGEN.DE
> | [knauel at duff ~] ssh -v -F ~/.ssh/config-gss midgard
> | OpenSSH_3.8.1p1, OpenSSL 0.9.7c 30 Sep 2003
> | debug1: Reading configuration data /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/config-gss
> | debug1: Connecting to midgard [134.2.12.82] port 22.
> | debug1: Connection established.
> | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity type -1
> | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa type -1
> | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa type 2
> | debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
> | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
> | debug1: Enabling compatibility mode for protocol 2.0
> | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
> | debug1: SSH2_MSG_KEXINIT sent
> | debug1: SSH2_MSG_KEXINIT received
> | debug1: kex: server->client aes128-cbc hmac-md5 none
> | debug1: kex: client->server aes128-cbc hmac-md5 none
> | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> | debug1: Host 'midgard' is known and matches the RSA host key.
> | debug1: Found key in /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191
> | debug1: ssh_rsa_verify: signature correct
> | debug1: SSH2_MSG_NEWKEYS sent
> | debug1: expecting SSH2_MSG_NEWKEYS
> | debug1: SSH2_MSG_NEWKEYS received
> | debug1: SSH2_MSG_SERVICE_REQUEST sent
> | debug1: SSH2_MSG_SERVICE_ACCEPT received
> | debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
> | debug1: Next authentication method: gssapi-with-mic
> | debug1: Delegating credentials
> | [ Ends here, hangs forever ]
> `----
>
> The OS X machine on the other side says:
>
> ,----
> | %/usr/openssh/sbin/sshd -d -d
> | debug2: read_server_config: filename /etc/openssh/sshd_config
> | debug1: sshd version OpenSSH_3.8.1p1
> | debug1: read PEM private key done: type RSA
> | debug1: private host key: #0 type 1 RSA
> | debug1: read PEM private key done: type DSA
> | debug1: private host key: #1 type 2 DSA
> | debug1: Bind to port 22 on ::.
> | debug1: Bind to port 22 on 0.0.0.0.
> | Server listening on 0.0.0.0 port 22.
> | debug1: Server will not fork when running in debugging mode.
> | Connection from 134.2.12.76 port 49992
> | debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
> | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
> | debug1: Enabling compatibility mode for protocol 2.0
> | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
> | debug2: Network child is on pid 15624
> | debug1: permanently_set_uid: 75/75
> | debug1: list_hostkey_types: ssh-rsa,ssh-dss
> | debug1: SSH2_MSG_KEXINIT sent
> | debug1: SSH2_MSG_KEXINIT received
> | debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
> | up1-sha1
> | debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
> | aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> | debug2: kex_parse_kexinit: none,zlib
> | debug2: kex_parse_kexinit: none,zlib
> | debug2: kex_parse_kexinit:
> | debug2: kex_parse_kexinit:
> | debug2: kex_parse_kexinit: first_kex_follows 0
> | debug2: kex_parse_kexinit: reserved 0
> | debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> | debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> | debug2: kex_parse_kexinit: none,zlib
> | debug2: kex_parse_kexinit: none,zlib
> | debug2: kex_parse_kexinit:
> | debug2: kex_parse_kexinit:
> | debug2: kex_parse_kexinit: first_kex_follows 0
> | debug2: kex_parse_kexinit: reserved 0
> | debug2: mac_init: found hmac-md5
> | debug1: kex: client->server aes128-cbc hmac-md5 none
> | debug2: mac_init: found hmac-md5
> | debug1: kex: server->client aes128-cbc hmac-md5 none
> | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> | debug2: monitor_read: 0 used once, disabling now
> | debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> | debug2: dh_gen_key: priv key bits set: 122/256
> | debug2: bits set: 512/1024
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> | debug2: bits set: 517/1024
> | debug2: monitor_read: 4 used once, disabling now
> | debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> | debug2: kex_derive_keys
> | debug2: set_newkeys: mode 1
> | debug1: SSH2_MSG_NEWKEYS sent
> | debug1: expecting SSH2_MSG_NEWKEYS
> | debug2: set_newkeys: mode 0
> | debug1: SSH2_MSG_NEWKEYS received
> | debug1: KEX done
> | debug1: userauth-request for user knauel service ssh-connection method none
> | debug1: attempt 0 failures 0
> | debug2: monitor_read: 6 used once, disabling now
> | debug2: input_userauth_request: setting up authctxt for knauel
> | debug2: input_userauth_request: try method none
> | debug2: monitor_read: 3 used once, disabling now
> | Failed none for knauel from 134.2.12.76 port 49992 ssh2
> | Failed none for knauel from 134.2.12.76 port 49992 ssh2
> | debug1: userauth-request for user knauel service ssh-connection method gssapi-with-mic
> | debug1: attempt 1 failures 1
> | debug2: input_userauth_request: try method gssapi-with-mic
> | Postponed gssapi-with-mic for knauel from 134.2.12.76 port 49992 ssh2
> | debug1: Got no client credentials
> | [ Ends here, hangs forever ]
> `----
>
> Here, it's claiming that sshd has received no credentials, which is
> what I don't understand.
>
> When I ssh from the OS X machine midgard (which uses MIT Kerberos +
> krbafs 1.2) to itself, delagating credentials seems to work fine:
>
> ,----
> | [...]
> | debug1: userauth-request for user knauel service ssh-connection method none
> | debug1: attempt 0 failures 0
> | debug2: monitor_read: 6 used once, disabling now
> | debug2: input_userauth_request: setting up authctxt for knauel
> | debug2: input_userauth_request: try method none
> | debug2: monitor_read: 3 used once, disabling now
> | Failed none for knauel from 134.2.12.82 port 52578 ssh2
> | Failed none for knauel from 134.2.12.82 port 52578 ssh2
> | debug1: userauth-request for user knauel service ssh-connection method gssapi-with-mic
> | debug1: attempt 1 failures 1
> | debug2: input_userauth_request: try method gssapi-with-mic
> | Postponed gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
> | debug1: Received some client credentials
> | Authorized to knauel, krb5 principal knauel at INFORMATIK.UNI-TUEBINGEN.DE (krb5_kuserok)
> | Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
> | debug1: monitor_child_preauth: knauel has been authenticated by privileged process
> | Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2
> | debug2: mac_init: found hmac-md5
> | debug2: mac_init: found hmac-md5
> | debug2: User child is on pid 15835
> | debug1: permanently_set_uid: 5324/3010
> | debug2: set_newkeys: mode 0
> | debug2: set_newkeys: mode 1
> | debug1: Entering interactive session for SSH2.
> | [...]
> `----
>
> The other end:
>
> ,----
> | [knauel at midgard ~] klist -f
> | Kerberos 5 ticket cache: 'API:Initial default ccache'
> | Default Principal: knauel at INFORMATIK.UNI-TUEBINGEN.DE
> | Valid Starting Expires Service Principal
> | 04/29/04 15:47:46 04/30/04 01:47:46 krbtgt/INFORMATIK.UNI-TUEBINGEN.DE at INFORMATIK.UNI-TUEBINGEN.DE
> | renew until 05/06/04 15:47:46, FPRI
> | 04/29/04 15:47:56 04/30/04 01:47:46 afs at INFORMATIK.UNI-TUEBINGEN.DE
> | renew until 05/06/04 15:47:46, FPRT
> | 04/29/04 15:48:05 04/30/04 01:47:46 host/duff.informatik.uni-tuebingen.de at INFORMATIK.UNI-TUEBINGEN.DE
> | renew until 05/06/04 15:47:46, FPRT
> |
> | [knauel at midgard ~] ssh -v midgard
> | OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003
> | debug1: Reading configuration data /etc/openssh/ssh_config
> | debug1: Connecting to midgard [134.2.12.82] port 22.
> | debug1: Connection established.
> | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity type 0
> | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa type -1
> | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa type 2
> | debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
> | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
> | debug1: Enabling compatibility mode for protocol 2.0
> | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
> | debug1: SSH2_MSG_KEXINIT sent
> | debug1: SSH2_MSG_KEXINIT received
> | debug1: kex: server->client aes128-cbc hmac-md5 none
> | debug1: kex: client->server aes128-cbc hmac-md5 none
> | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> | debug1: Host 'midgard' is known and matches the RSA host key.
> | debug1: Found key in /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191
> | debug1: ssh_rsa_verify: signature correct
> | debug1: SSH2_MSG_NEWKEYS sent
> | debug1: expecting SSH2_MSG_NEWKEYS
> | debug1: SSH2_MSG_NEWKEYS received
> | debug1: SSH2_MSG_SERVICE_REQUEST sent
> | debug1: SSH2_MSG_SERVICE_ACCEPT received
> | debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
> | debug1: Next authentication method: gssapi-with-mic
> | debug1: Delegating credentials
> | debug1: Delegating credentials
> | debug1: Authentication succeeded (gssapi-with-mic).
> | debug1: channel 0: new [client-session]
> | debug1: Entering interactive session.
> `----
>
> Any ideas why this is not working?
>
> -Eric
> --
> "Excuse me --- Di Du Du Duuuuh Di Dii --- Huh Weeeheeee" (Albert King)
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Part 1.1.2Type: application/pgp-signature
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list