Problem: passwordless SSH-login with Kerberos doesn't work

miguel.sanders@arcelormittal.com miguel.sanders at arcelormittal.com
Mon Jun 15 14:43:48 EDT 2009 

Hans

Are you attempting Kerberos based password authentication or single sign on?
Could also give the sshd trace (-ddd)? 


Met vriendelijke groet
Best regards
Bien à vous

Miguel SANDERS
ArcelorMittal Gent

UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders at arcelormittal.com
www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Hans van Zijst
Verzonden: maandag 15 juni 2009 10:04
Aan: kerberos at mit.edu
Onderwerp: Problem: passwordless SSH-login with Kerberos doesn't work

Hi,

We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. 
This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well.

I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password.

Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :)

A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory:

host/server.staff.xxxxx.nl at STAFF.XXXXX.NL
host/client.staff.xxxxx.nl at STAFF.XXXXX.NL

and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides.

Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful.

This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse
map) and the name and IP address of the AD server is in /etc/hosts.

This is the SSH debug log when I try to connect:

-----[ ssh client log ]-----
ssh -vvvK thisuser at server.staff.xxxxx.nl

OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22.
debug1: Connection established.
debug1: identity file /home/thisuser/.ssh/identity type -1
debug1: identity file /home/thisuser/.ssh/id_rsa type -1
debug1: identity file /home/thisuser/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay
gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei
gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx
gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay
gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei
gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx
gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==,diffie-hellman-group-exchange-sha256,
gss-gex-sha1-toWM5Slw5Ew8Mqkay+diffie-hellman-group-exchange-sha1,diffie
gss-gex-sha1-toWM5Slw5Ew8Mqkay+-hellman-group14-sha1,diffie-hellman-grou
gss-gex-sha1-toWM5Slw5Ew8Mqkay+p1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key.
debug1: Found key in /home/thisuser/.ssh/known_hosts:3
debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/thisuser/.ssh/identity ((nil))
debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: 
gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/thisuser/.ssh/identity
debug3: no such identity: /home/thisuser/.ssh/identity
debug1: Trying private key: /home/thisuser/.ssh/id_rsa
debug3: no such identity: /home/thisuser/.ssh/id_rsa
debug1: Trying private key: /home/thisuser/.ssh/id_dsa
debug3: no such identity: /home/thisuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
----- -----

And here's the log (at DEBUG level) of the SSH server:

-----[ ssh server log ]-----
debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
debug1: Forked child 2475.
debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 35195
debug1: Client protocol version 2.0; client software version
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug1: PAM: initializing for "thisuser"
debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for thisuser from 10.115.193.8 port 35195 ssh2
debug1: Unspecified GSS failure.  Minor code may provide more information\nNo principal in keytab matches desired name\n
debug1: do_cleanup
debug1: PAM: cleanup
----- -----


This is my SSH config:

-----[ /etc/ssh/sshd_config ]-----
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768

# Logging
SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
----- -----


I configured /etc/krb5.conf as follows:

-----[ /etc/krb5.conf ]-----
[logging]
default        = FILE:/var/log/krb5-lib.log
kdc        = FILE:/var/log/krb5-kdc.log
admin_server    = FILE:/var/log/kadmind.log

[libdefaults]
     default_realm        = STAFF.XXXXX.NL
     default_keytab_name    = FILE:/etc/krb5.keytab
     dns_lookup_realm    = true
     dns_lookup_kdc        = true
     kdc_timesync        = 1
     ccache_type        = 4
     forwardable        = true
     proxiable        = true

[realms]
     STAFF.XXXXX.NL = {
         kdc        = zbdc01
         admin_server    = zbdc01
     }

[domain_realm]
     .staff.xxxxx.nl    = STAFF.XXXXX.NL
     staff.xxxxx.nl    = STAFF.XXXXX.NL

[login]
     krb4_convert        = false
     krb4_get_tickets    = false

[appdefaults]
     pam = {
         debug        = false
         ticket_lifetime    = 36000
         renew_lifetime    = 36000
         forwardable    = true
         krb4_convert    = false
         validate    = true
     }
----- -----



Kind regards,

Hans van Zijst
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****

More information about the Kerberos mailing list