problem setting up ssh-krb5 from Debian Sarge

Rachel Elizabeth Dillon red at MIT.EDU
Fri Oct 22 20:53:40 EDT 2004 

This line:

>PAM rejected by account configuration[9]: Authentication service
>cannot retrieve authentication info.

suggests that PAM is failing for some reason. Without knowing more
about your configuration, I have no idea why. :) Some things to try: 

1. http://lists.debian.org/debian-glibc/2002/10/msg00266.html
   It is unlikely that this is your problem, but it could be, and if
   it is you are lucky and get to stop reading now.
2. Does the user you are trying to log in as exist in /etc/passwd?
3. What about /etc/shadow?
4. Is the user's shell valid?

Googling on the error suggests that the probable cause of this 
particular error is a problem in /etc/passwd or /etc/shadow,
but my past experience has taught me that PAM errors can be really
strange, so keep poking around. 

Qusetions that might help isolate the problem:

1. Can you log in via SSH without Kerberos? (ie by entering your
normal system password) If not, do you get the same error? If
so, you probably want to change something in /etc/pam.conf.
2. If you add your kerberos principal to the /.k5login file on
helmsley, can you ssh -l root helmsley with Kerberos tickets?
If so, the problem is probably with the local user.
3. Do you get the same errors when you try to connect via
SSH from a different machine? If not, there is something wrong on
the client side.

Hope this helps,

-r. 

On Fri, Oct 22, 2004 at 04:50:28PM -0400, Wes Chow wrote:
> 
> I'm trying to get kerberized ssh going for my Debian Sarge system.
> Kerberized telnet works fine.  When I try to log in with ssh:
> 
> 
> wchow at helmsley:~/.ssh$ klist
> Ticket cache: FILE:/tmp/krb5cc_p1116
> Default principal: wchow at D2702.ATHENACR.COM
> 
> Valid starting     Expires            Service principal
> 10/22/04 15:58:24  10/23/04 01:58:24
> krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
> 10/22/04 15:58:30  10/23/04 01:58:24
> host/helmsley.dev.in.athenacr.com at D2702.ATHENACR.COM
> 10/22/04 16:43:50  10/23/04 01:58:24
> host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt_1
> Principal: wchow at D2702.ATHENACR.COM
> 
>   Issued              Expires             Principal
>   10/22/04 15:50:20  10/22/04 23:30:20
> krbtgt.D2702.ATHENACR.COM at D2702.ATHENACR.COM
> wchow at helmsley:~/.ssh$ ssh helmsley 
> Read from remote host helmsley: Connection reset by peer
> Connection to helmsley closed.
> 
> 
> 
> 
> And on the server side:
> 
> helmsley:~# sshd -d
> debug1: sshd version OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5
> 3.6.1p2-6
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> socket: Address family not supported by protocol
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Server will not fork when running in debugging mode.
> Connection from 192.168.0.13 port 32804
> debug1: Client protocol version 2.0; client software version
> OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5 3.6.1p2-6
> debug1: match: OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-6 Debian_krb5
> 3.6.1p2-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian_krb5
> 3.6.1p2-6 Debian_krb5 3.6.1p2-6
> debug1: permanently_set_uid: 100/65534
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: GSSAPI mechanism Kerberos
> (gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==) supported
> debug1: GSSAPI mechanism Kerberos
> (gss-group1-sha1-Se3H81ismmOC3OE+FwYCiQ==) supported
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: using GSSAPI mechanism Kerberos
> (gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==)
> debug1: Wait SSH2_MSG_GSSAPI_INIT
> debug1: Got no client credentials
> debug1: gss_complete
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user wchow service ssh-connection method
> none
> debug1: attempt 0 failures 0
> debug1: Starting up PAM with username "wchow"
> Failed none for wchow from 192.168.0.13 port 32804 ssh2
> debug1: userauth-request for user wchow service ssh-connection method
> external-keyx
> debug1: attempt 1 failures 1
> debug1: PAM setting rhost to "helmsley.dev.in.athenacr.com"
> Authorized to wchow, krb5 principal wchow at D2702.ATHENACR.COM
> (krb5_kuserok)
> Accepted external-keyx for wchow from 192.168.0.13 port 32804 ssh2
> PAM rejected by account configuration[9]: Authentication service
> cannot retrieve authentication info.
> debug1: PAM establishing creds
> Failed gssapi for wchow from 192.168.0.13 port 32804 ssh2
> monitor_read: unsupported request: 38
> debug1: Calling cleanup 0x8067710(0x0)
> 
> 
> 
> I don't know how to read any of this output, so some clues would be
> greatly appreciated...
> 
> Thanks,
> Wes
> 
> -- 
> http://www.woahnelly.net/~wes/          OpenPGP key = 0xA5CA6644
> fingerprint = FDE5 21D8 9D8B 386F 128F  DF52 3F52 D582 A5CA 6644
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041022/d812c957/attachment.bin

More information about the Kerberos mailing list