Lots of UNKNOWN_SERVER this time... whoa
Jeff Blaine
jblaine at kickflop.net
Mon Apr 30 17:56:55 EDT 2007
I believe I am chalking this (original reported issue)
up to a broken sshd_config, believe it or not. All of
the crazy UNKNOWN_SERVER errors are gone.
UsePAM was yes, ChallengeResponseAuthentication was "no"
so no PAM auth was being used. Don't ask me how, but I
was getting in somehow and getting creds after a 10sec
delay and the spammy errors.
I forced all GSSAPI and Kerberos options to "no" and left
ChallengeResponseAuthentication and UsePAM as "yes".
NOW I get right in ... and *end up with no stored* krb5
credentials. krb5kdc.log shows them acquired.
client sshd[19529]: pam_krb5[19529]: configured realm 'RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: flags: forwardable
client sshd[19529]: pam_krb5[19529]: flag: no ignore_afs
^^^ HUH? Flag not even in man page.
client sshd[19529]: pam_krb5[19529]: flag: user_check
client sshd[19529]: pam_krb5[19529]: flag: no krb4_convert
^^^ NOTE
client sshd[19529]: pam_krb5[19529]: flag: warn
client sshd[19529]: pam_krb5[19529]: ticket lifetime: 0
client sshd[19529]: pam_krb5[19529]: renewable lifetime: 0
client sshd[19529]: pam_krb5[19529]: minimum uid: 100
client sshd[19529]: pam_krb5[19529]: banner: Kerberos 5
client sshd[19529]: pam_krb5[19529]: ccache dir: /tmp
client sshd[19529]: pam_krb5[19529]: keytab: /etc/krb5.keytab
client sshd[19529]: pam_krb5[19529]: called to authenticate 'jblaine'
client sshd[19529]: pam_krb5[19529]: authenticating 'jblaine at RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: saving newly-entered password for
use by other modules
client sshd[19529]: pam_krb5[19529]: trying newly-entered password for
'jblaine'
client sshd[19529]: pam_krb5[19529]: authenticating
'jblaine at RCF.FOO.COM' to 'krbtgt/RCF.FOO.COM at RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]:
krb5_get_init_creds_password(krbtgt/RCF.FOO.COM at RCF.FOO.COM) returned 0
(Success)
client sshd[19529]: pam_krb5[19529]: got result 0 (Success)
client sshd[19529]: pam_krb5[19529]: obtaining v4-compatible key
^^^ WHY!?
client sshd[19529]: pam_krb5[19529]: obtained des-cbc-crc v5 creds
client sshd[19529]: pam_krb5[19529]: converting v5 creds to v4 creds
(etype = 1)
client sshd[19529]: pam_krb5[19529]: conversion failed: -1765328228
(Cannot contact any KDC for requested realm)
^^^ GRRRR
client sshd[19529]: pam_krb5[19529]: obtaining initial v4 creds
client sshd[19529]: pam_krb5[19529]: converted principal to
'jblaine'[.]''@'RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: preparing to place v4 credentials
in '/tmp/tkt26560_Hf9DpJ'
client sshd[19529]: pam_krb5[19529]: could not obtain initial v4 creds:
7 (Argument list too long)
client sshd[19529]: pam_krb5[19529]: error obtaining v4 creds: 57
(Invalid slot)
^^^ WTF?
client sshd[19529]: pam_krb5[19529]: authentication succeeds for
'jblaine' (jblaine at RCF.FOO.COM)
client sshd[19529]: pam_krb5[19529]: pam_authenticate returning 0 (Success)
============== KDC REPORTS JUST THEN ================================
kdc krb5kdc[1862](info): AS_REQ (7 etypes {18 17 16 23 1 3 2})
129.83.11.213: ISSUE: authtime 1177969934, etypes {rep=16 tkt=16
ses=16}, jblaine at RCF.FOO.COM for krbtgt/RCF.FOO.COM at RCF.FOO.COM
kdc krb5kdc[1862](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE:
authtime 1177969934, etypes {rep=16 tkt=16 ses=1}, jblaine at RCF.FOO.COM
for krbtgt/RCF.FOO.COM at RCF.FOO.COM
============== END KDC REPORT =======================================
client sshd[19527]: Accepted keyboard-interactive/pam for jblaine from
::ffff:129.83.10.14 port 43521 ssh2
client sshd(pam_unix)[19530]: session opened for user jblaine by (uid=0)
client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
client sshd[19530]: pam_krb5[19530]: flags: forwardable
client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
client sshd[19530]: pam_krb5[19530]: flag: user_check
client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
client sshd[19530]: pam_krb5[19530]: flag: warn
client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
client sshd[19530]: pam_krb5[19530]: minimum uid: 100
client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
client sshd[19530]: pam_krb5[19530]: no v5 creds for user 'jblaine',
skipping session setup
^^^ NOTE
client sshd[19530]: pam_krb5[19530]: pam_open_session returning 0 (Success)
client sshd[19530]: (pam_afs_session): pam_sm_open_session: entry (0x0)
client sshd[19530]: (pam_afs_session): skipping, no Kerberos ticket cache
^^^ NOTE
client sshd[19530]: (pam_afs_session): pam_sm_open_session: exit (success)
client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
client sshd[19530]: pam_krb5[19530]: flags: forwardable
client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
client sshd[19530]: pam_krb5[19530]: flag: user_check
client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
client sshd[19530]: pam_krb5[19530]: flag: warn
client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
client sshd[19530]: pam_krb5[19530]: minimum uid: 100
client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
client sshd[19530]: pam_krb5[19530]: called to update credentials for
'jblaine'
client sshd[19530]: pam_krb5[19530]: _pam_krb5_sly_refresh returning 0
(Success)
======================================================================
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
...
~:client> /usr/kerberos/bin/klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_26560)
Kerberos 4 ticket cache: /tmp/tkt26560
klist: You have no tickets cached
~:client>
More information about the Kerberos
mailing list