OpenSSH and Kerberos Questions
Douglas E. Engert
deengert at anl.gov
Wed Nov 17 15:27:19 EST 2004
Joe Odenweller wrote:
> deengert at anl.gov ("Douglas E. Engert") wrote in message news:<419A6BF7.3060004 at anl.gov>...
>
> ... lots of stuff snipped out ...
>
>
>> Douglas E. Engert <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> script output for client:
>
> Script started on Wed Nov 17 10:27:15 2004
> $ /usr/krb5/bin/kdestroy
> $ /usr/krb5/bin/kinit -f
> Password for mzzckd at AIX.US.EDS.COM:
> $ /usr/krb5/bin/klist -f
> Ticket cache: FILE:/var/krb5/security/creds/krb5cc_203
> Default principal: mzzckd at AIX.US.EDS.COM
>
> Valid starting Expires Service principal
> 11/17/04 10:27:41 11/18/04 10:27:38
> krbtgt/AIX.US.EDS.COM at AIX.US.EDS.COM
> Flags: FIA
> $ grep -i gssapi /etc/ssh/ssh_config
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> $ /usr/bin/ssh -vvv usplsai011
> OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug3: Seeding PRNG from /usr/sbin/ssh-rand-helper
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to usplsai011 [206.122.74.93] port 22.
> debug1: Connection established.
> debug1: identity file /home/mzzckd/.ssh/identity type -1
> debug1: identity file /home/mzzckd/.ssh/id_rsa type -1
> debug1: identity file /home/mzzckd/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_3.8.1p1
> debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
> debug3: RNG is ready, skipping seeding
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 133/256
> debug2: bits set: 506/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/mzzckd/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug3: check_host_in_hostfile: filename /home/mzzckd/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host 'usplsai011' is known and matches the RSA host key.
> debug1: Found key in /home/mzzckd/.ssh/known_hosts:1
> debug2: bits set: 529/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mzzckd/.ssh/identity (0)
> debug2: key: /home/mzzckd/.ssh/id_rsa (0)
> debug2: key: /home/mzzckd/.ssh/id_dsa (0)
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
Looks like client sent the delegated credential.
> debug1: Authentication succeeded (gssapi-with-mic).
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug1: Entering interactive session.
> debug2: callback start
> debug2: ssh_session2_setup: id 0
> debug2: channel 0: request pty-req
> debug3: tty_make_modes: ospeed 9600
> debug3: tty_make_modes: ispeed 9600
> debug3: tty_make_modes: 1 3
> debug3: tty_make_modes: 2 28
> debug3: tty_make_modes: 3 8
> debug3: tty_make_modes: 4 21
> debug3: tty_make_modes: 5 4
> debug3: tty_make_modes: 6 0
> debug3: tty_make_modes: 7 0
> debug3: tty_make_modes: 8 17
> debug3: tty_make_modes: 9 19
> debug3: tty_make_modes: 10 26
> debug3: tty_make_modes: 11 25
> debug3: tty_make_modes: 12 18
> debug3: tty_make_modes: 14 22
> debug3: tty_make_modes: 30 0
> debug3: tty_make_modes: 31 0
> debug3: tty_make_modes: 32 0
> debug3: tty_make_modes: 33 0
> debug3: tty_make_modes: 34 0
> debug3: tty_make_modes: 35 0
> debug3: tty_make_modes: 36 1
> debug3: tty_make_modes: 37 0
> debug3: tty_make_modes: 38 1
> debug3: tty_make_modes: 39 0
> debug3: tty_make_modes: 40 1
> debug3: tty_make_modes: 41 1
> debug3: tty_make_modes: 50 1
> debug3: tty_make_modes: 51 1
> debug3: tty_make_modes: 52 0
> debug3: tty_make_modes: 53 1
> debug3: tty_make_modes: 54 1
> debug3: tty_make_modes: 55 1
> debug3: tty_make_modes: 56 0
> debug3: tty_make_modes: 57 0
> debug3: tty_make_modes: 58 0
> debug3: tty_make_modes: 59 1
> debug3: tty_make_modes: 60 1
> debug3: tty_make_modes: 61 1
> debug3: tty_make_modes: 62 0
> debug3: tty_make_modes: 70 1
> debug3: tty_make_modes: 71 0
> debug3: tty_make_modes: 72 1
> debug3: tty_make_modes: 73 0
> debug3: tty_make_modes: 74 0
> debug3: tty_make_modes: 75 0
> debug3: tty_make_modes: 90 1
> debug3: tty_make_modes: 91 1
> debug3: tty_make_modes: 92 0
> debug3: tty_make_modes: 93 0
> debug2: channel 0: request shell
> debug2: fd 3 setting TCP_NODELAY
> debug2: callback done
> debug2: channel 0: open confirm rwindow 0 rmax 32768
> debug1: channel 0: free: client-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
> #0 client-session (t4 r0 i0/0 o0/0 fd 6/7)
>
> debug3: channel 0: close_fds r 6 w 7 e 8
> Connection to usplsai011 closed by remote host.
> Connection to usplsai011 closed.
> debug1: Transferred: stdin 0, stdout 0, stderr 83 bytes in 0.2 seconds
> debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 516.0
> debug1: Exit status -1
> $
>
> script done on Wed Nov 17 10:28:27 2004
>
> Output from server:
>
> fd 11 setting O_NONBLOCK
> debug1: server_init_dispatch_20
> debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
> 16384
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug1: session_new: init
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request pty-req reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug3: mm_request_send entering: type 25
> debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY
> debug3: mm_request_receive_expect entering: type 26
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 25
> debug3: mm_answer_pty entering
> debug1: session_new: init
> debug1: session_new: session 0
> debug3: mm_request_send entering: type 26
> debug1: session_pty_req: session 0 alloc /dev/pts/5
> debug3: tty_parse_modes: SSH2 n_bytes 251
> debug3: tty_parse_modes: ospeed 9600
> debug3: tty_parse_modes: ispeed 9600
> debug3: tty_parse_modes: 1 3
> debug3: tty_parse_modes: 2 28
> debug3: tty_parse_modes: 3 8
> debug3: tty_parse_modes: 4 21
> debug3: tty_parse_modes: 5 4
> debug3: tty_parse_modes: 6 0
> debug3: tty_parse_modes: 7 0
> debug3: tty_parse_modes: 8 17
> debug3: Trying to reverse map address 206.122.74.94.
> debug3: tty_parse_modes: 9 19
> debug3: tty_parse_modes: 10 26
> debug3: tty_parse_modes: 11 25
> debug3: tty_parse_modes: 12 18
> debug3: tty_parse_modes: 14 22
> debug3: tty_parse_modes: 30 0
> debug3: tty_parse_modes: 31 0
> debug3: tty_parse_modes: 32 0
> debug3: tty_parse_modes: 33 0
> debug3: tty_parse_modes: 34 0
> debug3: tty_parse_modes: 35 0
> debug3: tty_parse_modes: 36 1
> debug3: tty_parse_modes: 37 0
> debug3: tty_parse_modes: 38 1
> debug3: tty_parse_modes: 39 0
> debug3: tty_parse_modes: 40 1
> debug3: tty_parse_modes: 41 1
> debug3: tty_parse_modes: 50 1
> debug3: tty_parse_modes: 51 1
> debug3: tty_parse_modes: 52 0
> debug3: tty_parse_modes: 53 1
> debug3: tty_parse_modes: 54 1
> debug3: tty_parse_modes: 55 1
> debug3: tty_parse_modes: 56 0
> debug3: tty_parse_modes: 57 0
> debug3: tty_parse_modes: 58 0
> debug3: tty_parse_modes: 59 1
> debug3: tty_parse_modes: 60 1
> debug3: tty_parse_modes: 61 1
> debug3: tty_parse_modes: 62 0
> debug3: tty_parse_modes: 70 1
> debug3: tty_parse_modes: 71 0
> debug3: tty_parse_modes: 72 1
> debug3: tty_parse_modes: 73 0
> debug3: tty_parse_modes: 74 0
> debug3: tty_parse_modes: 75 0
> debug3: tty_parse_modes: 90 1
> debug3: tty_parse_modes: 91 1
> debug3: tty_parse_modes: 92 0
> debug3: tty_parse_modes: 93 0
> debug1: server_input_channel_req: channel 0 request shell reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
> debug1: temporarily_use_uid: 203/1 (e=203/1)
> debug3: mm_answer_pty: tty /dev/pts/5 ptyfd 9
> debug3: mm_request_receive entering
> debug1: do_cleanup
> debug1: session_pty_cleanup: session 0 release /dev/pts/5
> usplsai011:/# ls -la /var/krb5/security/creds/krb5cc_203
So it looks like the problem is where did the sshd strore the
credentials? SSH likes to use a session based cache, so each
session of a user has a different cache. It should have set the
KRB5CCNAME to point at it. If you uses a uid based cache, you can't
clean it up, as some other session/process of the user might be using it.
So reset the GSSAPICleanupCred... no no the server,
and restart the sshd, and look around to find a cache.
The KRB5CCNAME should have been set to point at it.
So why did you expect to see it at /var/krb5/security/creds?
The default location would be /tmp/krb5cc_....
> /var/krb5/security/creds/krb5cc_203 not found
> usplsai011:/#
>
> script done on Wed Nov 17 10:28:36 2004
>
> /var/krb5/log/kadmin.log on KDC (usplsai012)
> Nov 17 10:27:30 usplsai012.txpln.us.eds.com kadmind[17032](Notice):
> Successful request: kadm5_init,
> host/usplsai011.txpln.us.eds.com at AIX.US.EDS.COM,
> client=host/usplsai011.txpln.us.eds.com at AIX.US.EDS.COM,
> service=kadmin/admin at AIX.US.EDS.COM, addr=206.122.74.93
>
> Nov 17 10:27:30 usplsai012.txpln.us.eds.com kadmind[17032](Notice):
> Successful request: kadm5_get_principal, mzzckd at AIX.US.EDS.COM,
> client=host/usplsai011.txpln.us.eds.com at AIX.US.EDS.COM,
> service=kadmin/admin at AIX.US.EDS.COM, addr=206.122.74.93
>
>
>
> /var/krb5/log/krb5kdc.log on KDC (usplsai012)
> Nov 17 10:27:16 usplsai012.txpln.us.eds.com
> /usr/krb5/sbin/krb5kdc[16778](Notice): AS_REQ (5 etypes {16 23 18 3
> 1}) 206.122.74.94(88): NEEDED_PREAUTH: mzzckd at AIX.US.EDS.COM for
> krbtgt/AIX.US.EDS.COM at AIX.US.EDS.COM, Additional pre-authentication
> required
> Nov 17 10:27:19 usplsai012.txpln.us.eds.com
> /usr/krb5/sbin/krb5kdc[16778](info): AS_REQ (5 etypes {16 23 18 3 1})
> 206.122.74.94(88): ISSUE: authtime 1100710759, etypes {rep=16 tkt=16
> ses=16}, mzzckd at AIX.US.EDS.COM for
> krbtgt/AIX.US.EDS.COM at AIX.US.EDS.COM
The above are your initial krbtgt
> Nov 17 10:27:30 usplsai012.txpln.us.eds.com
> /usr/krb5/sbin/krb5kdc[16778](info): AS_REQ (5 etypes {16 23 18 3 1})
> 206.122.74.93(88): ISSUE: authtime 1100710770, etypes {rep=16 tkt=16
> ses=16}, host/usplsai011.txpln.us.eds.com at AIX.US.EDS.COM for
> kadmin/admin at AIX.US.EDS.COM
> Nov 17 10:27:31 usplsai012.txpln.us.eds.com
> /usr/krb5/sbin/krb5kdc[16778](info): TGS_REQ (5 etypes {16 23 18 3 1})
> 206.122.74.94(88): ISSUE: authtime 1100710759, etypes {rep=16 tkt=16
> ses=16}, mzzckd at AIX.US.EDS.COM for
> host/usplsai011.txpln.us.eds.com at AIX.US.EDS.COM:
Thi sis the service ticket to authenticate with.
> Nov 17 10:27:31 usplsai012.txpln.us.eds.com
> /usr/krb5/sbin/krb5kdc[16778](info): TGS_REQ (1 etypes {16})
> 206.122.74.94(88): ISSUE: authtime 1100710759, etypes {rep=16 tkt=16
> ses=16}, mzzckd at AIX.US.EDS.COM for
> krbtgt/AIX.US.EDS.COM at AIX.US.EDS.COM:
This is the delegated tgt that will be sent from the client to the server.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list