single sign on woes

john smith jsmithk08 at gmail.com
Tue Feb 12 03:35:01 EST 2008 

hello folks,

i have gone through the mail archive for suggestions but i can't seem to
make headway. i am not sure what i am missing. am i supposed to export
contents of krb5.keytab and copy them to the  client systems? i can't even
log on to  the kerb server. the ssh session just drops to the console.

would appreciate some help on this.

thank you,
john

system: etch 32
-----------------
id will
uid=4301(will) gid=4301(will) groups=4301(will)

--------------------------
pam

 grep krb5 /etc/pam.d/common-*
/etc/pam.d/common-account: account  required  pam_krb5.so minimum_uid=1000
forwardable
/etc/pam.d/common-auth:auth    sufficient      pam_krb5.so minimum_uid=1000
forwardable
/etc/pam.d/common-password:password   sufficient pam_krb5.so
minimum_uid=1000 forwardable
/etc/pam.d/common-session:session  optional  pam_krb5.so minimum_uid=1000
forwardable



---------------
/etc/ssh/sshd_config
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

-----
/etc/ssh/ssh_config

 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

-------------


/etc/krb5.conf
[libdefaults]
        default_realm = FOO.BAR.COM

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        FOO.BAR.COM = {
                kdc = foo.bar.com
                admin_server = foo.bar.com
        }

[domain_realm]

[login]
        krb4_convert = true
        krb4_get_tickets = false
[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
[appdefaults]
               forwardable = true
               pam = {
                   minimum_uid = 1000
               }


--------
/etc/krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 750,88

[realms]
     FOO.BAR.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth, +forwardable
        kadmind_port = 749
    }

[logging]
         kdc = FILE:/var/log/krb5kdc/kdc.log
         admin_server = FILE:/var/log/krb5kdc/kadmin.log
------------------------------------------
kadmin.local listprinc
K/M at FOO.BAR.COM
testuser at FOO.BAR.COM
host/test1.bar.com at FOO.BAR.COM
host/test2.bar.com at FOO.BAR.COM
host/test3.bar.com at FOO.BAR.COM
host/test4.bar.com at FOO.BAR.COM
kadmin/admin at FOO.BAR.COM
kadmin/changepw at FOO.BAR.COM
kadmin/history at FOO.BAR.COM
kadmin/foo.bar.com at FOO.BAR.COM
krbtgt/FOO.BAR.COM at FOO.BAR.COM
will/admin at FOO.BAR.COM

i have run ktadd -k /etc/krb5.keytab <hostname> for all the test clients on
the kerbserver foo.bar.com

i can run kinit will/admin on any of the client systems.
--------------------------------
test2:~# ssh will at test1 (fails

test2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: will/admin at FOO.BAR.COM

Valid starting     Expires            Service principal
02/12/08 08:05:45  02/12/08 18:05:45  krbtgt/FOO.BAR.COM at FOO.BAR.COM
        renew until 02/13/08 08:05:42
02/12/08 08:05:53  02/12/08 18:05:45  host/test1.bar.com at FOO.BAR.COM
        renew until 02/13/08 08:05:42


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
test2:~#
--------------------
from /var/log/krb5kdc.log on the kerbserver foo.

Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes {rep=16 tkt=16
ses=16}, will/admin at foo.bar.com for host/test3.bar.com at foo.bar.com

-------------------------------

 ssh -v -v -v -o PreferredAuthentications=gssapi-with-mic will at foo
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to foo [w.x.y.z] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2
Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 526/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 4
debug1: Host 'foo' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug2: bits set: 506/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-keyex
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
root at testserver

More information about the Kerberos mailing list