Lots of UNKNOWN_SERVER this time... whoa

Jeff Blaine jblaine at kickflop.net
Mon Apr 30 17:56:55 EDT 2007


I believe I am chalking this (original reported issue)
up to a broken sshd_config, believe it or not.  All of
the crazy UNKNOWN_SERVER errors are gone.

UsePAM was yes, ChallengeResponseAuthentication was "no"
so no PAM auth was being used.  Don't ask me how, but I
was getting in somehow and getting creds after a 10sec
delay and the spammy errors.

I forced all GSSAPI and Kerberos options to "no" and left
ChallengeResponseAuthentication and UsePAM as "yes".

NOW I get right in ... and *end up with no stored* krb5
credentials.  krb5kdc.log shows them acquired.

client sshd[19529]: pam_krb5[19529]: configured realm 'RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: flags: forwardable
client sshd[19529]: pam_krb5[19529]: flag: no ignore_afs

^^^ HUH?  Flag not even in man page.

client sshd[19529]: pam_krb5[19529]: flag: user_check
client sshd[19529]: pam_krb5[19529]: flag: no krb4_convert

^^^ NOTE

client sshd[19529]: pam_krb5[19529]: flag: warn
client sshd[19529]: pam_krb5[19529]: ticket lifetime: 0
client sshd[19529]: pam_krb5[19529]: renewable lifetime: 0
client sshd[19529]: pam_krb5[19529]: minimum uid: 100
client sshd[19529]: pam_krb5[19529]: banner: Kerberos 5
client sshd[19529]: pam_krb5[19529]: ccache dir: /tmp
client sshd[19529]: pam_krb5[19529]: keytab: /etc/krb5.keytab
client sshd[19529]: pam_krb5[19529]: called to authenticate 'jblaine'
client sshd[19529]: pam_krb5[19529]: authenticating 'jblaine at RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: saving newly-entered password for 
use by other modules
client sshd[19529]: pam_krb5[19529]: trying newly-entered password for 
'jblaine'
client sshd[19529]: pam_krb5[19529]: authenticating 
'jblaine at RCF.FOO.COM' to 'krbtgt/RCF.FOO.COM at RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: 
krb5_get_init_creds_password(krbtgt/RCF.FOO.COM at RCF.FOO.COM) returned 0 
(Success)
client sshd[19529]: pam_krb5[19529]: got result 0 (Success)
client sshd[19529]: pam_krb5[19529]: obtaining v4-compatible key

^^^ WHY!?

client sshd[19529]: pam_krb5[19529]: obtained des-cbc-crc v5 creds
client sshd[19529]: pam_krb5[19529]: converting v5 creds to v4 creds 
(etype = 1)
client sshd[19529]: pam_krb5[19529]: conversion failed: -1765328228 
(Cannot contact any KDC for requested realm)

^^^ GRRRR

client sshd[19529]: pam_krb5[19529]: obtaining initial v4 creds
client sshd[19529]: pam_krb5[19529]: converted principal to 
'jblaine'[.]''@'RCF.FOO.COM'
client sshd[19529]: pam_krb5[19529]: preparing to place v4 credentials 
in '/tmp/tkt26560_Hf9DpJ'
client sshd[19529]: pam_krb5[19529]: could not obtain initial v4 creds: 
7 (Argument list too long)
client sshd[19529]: pam_krb5[19529]: error obtaining v4 creds: 57 
(Invalid slot)

^^^ WTF?

client sshd[19529]: pam_krb5[19529]: authentication succeeds for 
'jblaine' (jblaine at RCF.FOO.COM)
client sshd[19529]: pam_krb5[19529]: pam_authenticate returning 0 (Success)

============== KDC REPORTS JUST THEN ================================
kdc krb5kdc[1862](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 
129.83.11.213: ISSUE: authtime 1177969934, etypes {rep=16 tkt=16 
ses=16}, jblaine at RCF.FOO.COM for krbtgt/RCF.FOO.COM at RCF.FOO.COM

kdc krb5kdc[1862](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE: 
authtime 1177969934, etypes {rep=16 tkt=16 ses=1}, jblaine at RCF.FOO.COM 
for krbtgt/RCF.FOO.COM at RCF.FOO.COM
============== END KDC REPORT =======================================

client sshd[19527]: Accepted keyboard-interactive/pam for jblaine from 
::ffff:129.83.10.14 port 43521 ssh2
client sshd(pam_unix)[19530]: session opened for user jblaine by (uid=0)
client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
client sshd[19530]: pam_krb5[19530]: flags: forwardable
client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
client sshd[19530]: pam_krb5[19530]: flag: user_check
client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
client sshd[19530]: pam_krb5[19530]: flag: warn
client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
client sshd[19530]: pam_krb5[19530]: minimum uid: 100
client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
client sshd[19530]: pam_krb5[19530]: no v5 creds for user 'jblaine', 
skipping session setup

^^^ NOTE

client sshd[19530]: pam_krb5[19530]: pam_open_session returning 0 (Success)
client sshd[19530]: (pam_afs_session): pam_sm_open_session: entry (0x0)
client sshd[19530]: (pam_afs_session): skipping, no Kerberos ticket cache

^^^ NOTE

client sshd[19530]: (pam_afs_session): pam_sm_open_session: exit (success)
client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
client sshd[19530]: pam_krb5[19530]: flags: forwardable
client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
client sshd[19530]: pam_krb5[19530]: flag: user_check
client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
client sshd[19530]: pam_krb5[19530]: flag: warn
client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
client sshd[19530]: pam_krb5[19530]: minimum uid: 100
client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
client sshd[19530]: pam_krb5[19530]: called to update credentials for 
'jblaine'
client sshd[19530]: pam_krb5[19530]: _pam_krb5_sly_refresh returning 0 
(Success)

======================================================================

debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
...
~:client> /usr/kerberos/bin/klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_26560)


Kerberos 4 ticket cache: /tmp/tkt26560
klist: You have no tickets cached
~:client>



More information about the Kerberos mailing list