Kerberos + SSH question
Nod
none at nospam.none
Tue Jun 20 09:34:38 EDT 2006
On 19 Jun 2006 23:09:01 -0400, "Richard E. Silverman" <res at qoxp.net> wrote:
>>
>> On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <res at qoxp.net> wrote:
>> >>>>>> "Nod" == Nod <none at nospam.none> writes:
>> >
>> > Nod> I've currently got a Heimdal KDC setup for testing. From the
>> > Nod> testing network, I can succesfully get tickets via kinit, and ssh
>> > Nod> with the ticket between servers. Now, I'm trying to get the
>> > Nod> Windows desktop side working. Right now, I can authenticate
>> > Nod> (using SecureCRT with Kerberos support) but only when I use kinit
>> > Nod> from the Windows XP desktop. What I'm trying to do is get the
>> > Nod> ssh server on the machine I'm accessing to carry out the kerberos
>> > Nod> authentication, so I don't have to install kerberos software on
>> > Nod> all our support staff's desktops, and put everyone's desktop in
>> > Nod> the realm. Basically, ssh to the server with my kerberos
>> > Nod> password, and have the server carry out the kerberos work for me.
>> >
>> >So, you want to do two entirely different things. When you kinit on
>> >Windows, you are using ticket-based authentication and you have
>> >single-signon. Now, you do not want to use Kerberos on the clients; you
>> >want to use password authentication (no single-signon), and have the SSH
>> >server validate the password against Kerberos.
>> >
>> >You have not said what SSH server you're using, or what server OS, or
>> >indeed anything about the server at all. Assuming it's OpenSSH on Unix,
>> >you can use this:
>> >
>> >PasswordAuthentication yes
>> >KerberosAuthentication yes
>> >
>> >or, use keyboard-interactive authentication and configure PAM to use
>> >Kerberos.
>>
>> OpenSSH_4.3p2, FreeBSD 6.0, in this case.
>>
>> PAM config for ssh
>> u2:~# cat /etc/pam.d/sshd | grep krb
>> auth sufficient pam_krb5.so no_warn try_first_pass
>> account required pam_krb5.so
>> password sufficient pam_krb5.so no_warn try_first_pass
>
>Since the PAM config is order-dependent, grepping out certain lines does
>not show whether it would work, or even if these lines would be consulted
>at all.
>
>> SSHD config
>> PermitRootLogin yes
>> PasswordAuthentication yes
>> ChallengeResponseAuthentication yes
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd yes
>> KerberosTicketCleanup yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> UsePAM yes
>> Subsystem sftp /usr/libexec/sftp-server
>>
>>
>>
>> SSH debug of connection attempt, in keyboard interactive mode.
>>
>> Invalid user nod at test.myrealm.com from ip
>> input_userauth_request: invalid user nod at test.myrealm.com
>> debug1: PAM: initializing for "nod at test.myrealm.com"
>> debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com"
>> Failed none for invalid user nod at test.myrealm.com from ip port 3727 ssh2
>> Failed none for invalid user nod at test.myrealm.com from ip port 3727 ssh2
>> debug1: userauth-request for user nod at test.myrealm.com service ssh-connection
>> method keyboard-interactive
>> debug1: attempt 1 failures 1
>> debug1: keyboard-interactive devs
>> debug1: auth2_challenge: user=nod at test.myrealm.com devs=
>> debug1: kbdint_alloc: devices 'pam'
>> debug1: auth2_challenge_start: trying authentication method 'pam'
>> Postponed keyboard-interactive for invalid user nod at test.myrealm.com from ip
>> port 3727 ssh2
>> PAM: authentication error for illegal user nod at test.myrealm.com from
>> nt1.myrealm.com
>> Failed keyboard-interactive/pam for invalid user nod at test.myrealm.com from ip
>> port 3727 ssh2
>> Failed keyboard-interactive/pam for invalid user nod at test.myrealm.com from ip
>> port 3727 ssh2
>> Received disconnect from ip: 13: The user canceled authentication.
>
>> This doesn't appear to have work, perhaps I'm missing something?
>
>The various references to "illegal user" and "invalid user" suggest an
>independent reason why sshd or PAM don't like this account. You'd get
>this if, for example, you had set AllowUsers and this account were not
>listed. Perhaps there's something else wrong with this account that PAM
>checks, e.g. it has a shell not in /etc/shells?
>
>This seems familiar to me...
Here's the whole pam config for ssh:
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
As for the user, no, it doesn't exist on the box. This might be where I'm
running into a problem. Right now, this box only has its' root user and various
system accounts on it. Here's what I'm trying to do:
- Set up kerberos users for my various support techs. This is done, and I can
kinit from the servers as those users.
- Allow the kerberos users login access to the servers, and eventually, sudo
access. Right now, I've not added any local users to the servers themselves, as
I was under the impression that having them in Kerberos would make them a
'virtual' user of sorts.
Am I missing something here, or do I have a fundemental misunderstanding on
something? Your input is greatly appreciated.
More information about the Kerberos
mailing list