Problem: passwordless SSH-login with Kerberos doesn't work

Hans van Zijst hans at woefdram.nl
Mon Jun 15 04:03:55 EDT 2009 

Hi,

We, a team of 6, administer tens of Linux servers. The historic heritage 
is that every team member has his own local account on every machine. 
This is a nightmare of course, I don't have to elaborate on that :) 
Recently we decided to use our Active Directory domain for the Linux 
machines as well.

I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM 
and got to the point where we all can login on to the SSH server using 
our Active Directory credentials. At login time, a TGT is automatically 
retrieved through PAM. From there, I thought, it should be easy to 
automatically log into SSH without being asked for a password.

Obviously I was wrong... SSH keeps asking for a password, or exits with 
"permission denied" if I set KerberosOrLocalPassword to "no" in the 
server config. Help... :)

A message in the ssh client-log ("No valid Key exchange context") seems 
to indicate a problem with a keytab. However, the keytabs seem to be 
working just fine. I created these two principals in Active Directory:

host/server.staff.xxxxx.nl at STAFF.XXXXX.NL
host/client.staff.xxxxx.nl at STAFF.XXXXX.NL

and exported them in a keytab file, without Windows complaining about 
anything. I copied them to /etc/krb5.keytab and if I check them with 
ktutil, the correct principal is there. I read a lot about Kerberos 
being very picky about the principal name being a hostname or FQDN, so I 
connect using the FQDN and put the FQDN in /etc/hosts on both sides.

Can anyone please shed some light on this? I've Googled a lot, but 
haven't found anything useful.

This is what I use. I installed 2 Debian Lenny machines, one as a 
workstation (X, Gnome, the whole shebang), one as a server (no X, only 
SSH really). Both are virtual machines, running in VirtualBox. They have 
their own dedicated IP addresses, registered in DNS (forward and reverse 
map) and the name and IP address of the AD server is in /etc/hosts.

This is the SSH debug log when I try to connect:

-----[ ssh client log ]-----
ssh -vvvK thisuser at server.staff.xxxxx.nl

OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22.
debug1: Connection established.
debug1: identity file /home/thisuser/.ssh/identity type -1
debug1: identity file /home/thisuser/.ssh/id_rsa type -1
debug1: identity file /home/thisuser/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA 
host key.
debug1: Found key in /home/thisuser/.ssh/known_hosts:3
debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/thisuser/.ssh/identity ((nil))
debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred 
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: 
gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/thisuser/.ssh/identity
debug3: no such identity: /home/thisuser/.ssh/identity
debug1: Trying private key: /home/thisuser/.ssh/id_rsa
debug3: no such identity: /home/thisuser/.ssh/id_rsa
debug1: Trying private key: /home/thisuser/.ssh/id_dsa
debug3: no such identity: /home/thisuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
----- -----

And here's the log (at DEBUG level) of the SSH server:

-----[ ssh server log ]-----
debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
debug1: Forked child 2475.
debug1: inetd sockets after dupping: 3, 3
Connection from 10.115.193.8 port 35195
debug1: Client protocol version 2.0; client software version 
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug1: PAM: initializing for "thisuser"
debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for thisuser from 10.115.193.8 port 35195 ssh2
debug1: Unspecified GSS failure.  Minor code may provide more 
information\nNo principal in keytab matches desired name\n
debug1: do_cleanup
debug1: PAM: cleanup
----- -----


This is my SSH config:

-----[ /etc/ssh/sshd_config ]-----
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for 
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
----- -----


I configured /etc/krb5.conf as follows:

-----[ /etc/krb5.conf ]-----
[logging]
default        = FILE:/var/log/krb5-lib.log
kdc        = FILE:/var/log/krb5-kdc.log
admin_server    = FILE:/var/log/kadmind.log

[libdefaults]
     default_realm        = STAFF.XXXXX.NL
     default_keytab_name    = FILE:/etc/krb5.keytab
     dns_lookup_realm    = true
     dns_lookup_kdc        = true
     kdc_timesync        = 1
     ccache_type        = 4
     forwardable        = true
     proxiable        = true

[realms]
     STAFF.XXXXX.NL = {
         kdc        = zbdc01
         admin_server    = zbdc01
     }

[domain_realm]
     .staff.xxxxx.nl    = STAFF.XXXXX.NL
     staff.xxxxx.nl    = STAFF.XXXXX.NL

[login]
     krb4_convert        = false
     krb4_get_tickets    = false

[appdefaults]
     pam = {
         debug        = false
         ticket_lifetime    = 36000
         renew_lifetime    = 36000
         forwardable    = true
         krb4_convert    = false
         validate    = true
     }
----- -----



Kind regards,

Hans van Zijst

More information about the Kerberos mailing list