Problem: passwordless SSH-login with Kerberos doesn't work

Hans van Zijst hans at woefdram.nl
Tue Jun 16 04:37:03 EDT 2009


Hi Miguel,

Ultimately, I want to have single signon. I can do Kerberos password 
authentication now and that's already a huge step forward, but single 
signon is what I want.

This is the sshd-trace of the server. I checked klist on my client and 
saw I only had the TGT. Then I attempted the ssh connection and checked 
again, this time I also had a ticket for the server. Looks like the 
keytab is ok then, doesn't it?

Here's the trace:


debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 772
debug2: parse_server_config: config /etc/ssh/sshd_config len 772
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:21 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:23 setting LogLevel DEBUG
debug3: /etc/ssh/sshd_config:26 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:27 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:28 setting StrictModes yes
debug3: /etc/ssh/sshd_config:30 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:35 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:37 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:39 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:44 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:48 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:52 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:57 setting KerberosAuthentication yes
debug3: /etc/ssh/sshd_config:60 setting KerberosOrLocalPasswd no
debug3: /etc/ssh/sshd_config:61 setting KerberosTicketCleanup yes
debug3: /etc/ssh/sshd_config:64 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:65 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:67 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:68 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:69 setting PrintMotd no
debug3: /etc/ssh/sshd_config:70 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:71 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:78 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:80 setting Subsystem sftp 
/usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug1: sshd version OpenSSH_5.1p1 Debian-5
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
socket: Address family not supported by protocol
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 772
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 10.115.193.8 port 50535
debug1: Client protocol version 2.0; client software version 
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug3: privsep user:group 104:65534
debug1: permanently_set_uid: 104/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug2: Network child is on pid 2204
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 513/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 490/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0xb8d2c768(271)
debug3: mm_request_send entering: type 6
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user thisuser service ssh-connection method 
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 10.115.193.8.
debug2: parse_server_config: config reprocess config len 772
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: input_userauth_request: setting up authctxt for thisuser
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 48
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48
debug1: PAM: initializing for "thisuser
debug1: userauth-request for user thisuser service ssh-connection method 
gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 38
debug3: mm_request_receive_expect entering: type 39
debug3: mm_request_receive entering
debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 48 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 38
debug1: Unspecified GSS failure.  Minor code may provide more information
No principal in keytab matches desired name

debug3: mm_request_send entering: type 39
debug1: userauth-request for user thisuser service ssh-connection method 
gssapi-with-mic
debug1: attempt 2 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_receive entering
debug1: userauth-request for user thisuser service ssh-connection method 
gssapi-with-mic
debug1: attempt 3 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
Connection closed by 10.115.193.8
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering


Kind regards,

Hans van Zijst



miguel.sanders at arcelormittal.com wrote:
> Hans
> 
> Are you attempting Kerberos based password authentication or single sign on?
> Could also give the sshd trace (-ddd)? 
> 
> 
> Met vriendelijke groet
> Best regards
> Bien à vous
> 
> Miguel SANDERS
> ArcelorMittal Gent
> 
> UNIX Systems & Storage
> IT Supply Western Europe | John Kennedylaan 51
> B-9042 Gent
> 
> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
> E miguel.sanders at arcelormittal.com
> www.arcelormittal.com/gent
> 
> -----Oorspronkelijk bericht-----
> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Hans van Zijst
> Verzonden: maandag 15 juni 2009 10:04
> Aan: kerberos at mit.edu
> Onderwerp: Problem: passwordless SSH-login with Kerberos doesn't work
> 
> Hi,
> 
> We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. 
> This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well.
> 
> I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password.
> 
> Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :)
> 
> A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory:
> 
> host/server.staff.xxxxx.nl at STAFF.XXXXX.NL
> host/client.staff.xxxxx.nl at STAFF.XXXXX.NL
> 
> and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides.
> 
> Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful.
> 
> This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse
> map) and the name and IP address of the AD server is in /etc/hosts.
> 
> This is the SSH debug log when I try to connect:
> 
> -----[ ssh client log ]-----
> ssh -vvvK thisuser at server.staff.xxxxx.nl
> 
> OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22.
> debug1: Connection established.
> debug1: identity file /home/thisuser/.ssh/identity type -1
> debug1: identity file /home/thisuser/.ssh/id_rsa type -1
> debug1: identity file /home/thisuser/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug2: fd 3 setting O_NONBLOCK
> debug1: Offering GSSAPI proposal: 
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay
> gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: 
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay
> gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==,diffie-hellman-group-exchange-sha256,
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+diffie-hellman-group-exchange-sha1,diffie
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+-hellman-group14-sha1,diffie-hellman-grou
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+p1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: 
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 132/256
> debug2: bits set: 506/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 3
> debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key.
> debug1: Found key in /home/thisuser/.ssh/known_hosts:3
> debug2: bits set: 528/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/thisuser/.ssh/identity ((nil))
> debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
> debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred: 
> gssapi-with-mic,gssapi,publickey,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: gssapi,publickey,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/thisuser/.ssh/identity
> debug3: no such identity: /home/thisuser/.ssh/identity
> debug1: Trying private key: /home/thisuser/.ssh/id_rsa
> debug3: no such identity: /home/thisuser/.ssh/id_rsa
> debug1: Trying private key: /home/thisuser/.ssh/id_dsa
> debug3: no such identity: /home/thisuser/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> ----- -----
> 
> And here's the log (at DEBUG level) of the SSH server:
> 
> -----[ ssh server log ]-----
> debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
> debug1: Forked child 2475.
> debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 35195
> debug1: Client protocol version 2.0; client software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug1: PAM: initializing for "thisuser"
> debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
> debug1: PAM: setting PAM_TTY to "ssh"
> Failed none for thisuser from 10.115.193.8 port 35195 ssh2
> debug1: Unspecified GSS failure.  Minor code may provide more information\nNo principal in keytab matches desired name\n
> debug1: do_cleanup
> debug1: PAM: cleanup
> ----- -----
> 
> 
> This is my SSH config:
> 
> -----[ /etc/ssh/sshd_config ]-----
> # Package generated configuration file
> # See the sshd(8) manpage for details
> 
> # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security UsePrivilegeSeparation yes
> 
> # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768
> 
> # Logging
> SyslogFacility AUTH
> #LogLevel INFO
> LogLevel DEBUG
> 
> # Authentication:
> LoginGraceTime 120
> PermitRootLogin yes
> StrictModes yes
> 
> RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile    %h/.ssh/authorized_keys
> 
> # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes
> 
> # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no
> 
> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no
> 
> # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes
> 
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> 
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> AcceptEnv LANG LC_*
> Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
> ----- -----
> 
> 
> I configured /etc/krb5.conf as follows:
> 
> -----[ /etc/krb5.conf ]-----
> [logging]
> default        = FILE:/var/log/krb5-lib.log
> kdc        = FILE:/var/log/krb5-kdc.log
> admin_server    = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>      default_realm        = STAFF.XXXXX.NL
>      default_keytab_name    = FILE:/etc/krb5.keytab
>      dns_lookup_realm    = true
>      dns_lookup_kdc        = true
>      kdc_timesync        = 1
>      ccache_type        = 4
>      forwardable        = true
>      proxiable        = true
> 
> [realms]
>      STAFF.XXXXX.NL = {
>          kdc        = zbdc01
>          admin_server    = zbdc01
>      }
> 
> [domain_realm]
>      .staff.xxxxx.nl    = STAFF.XXXXX.NL
>      staff.xxxxx.nl    = STAFF.XXXXX.NL
> 
> [login]
>      krb4_convert        = false
>      krb4_get_tickets    = false
> 
> [appdefaults]
>      pam = {
>          debug        = false
>          ticket_lifetime    = 36000
>          renew_lifetime    = 36000
>          forwardable    = true
>          krb4_convert    = false
>          validate    = true
>      }
> ----- -----
> 
> 
> 
> Kind regards,
> 
> Hans van Zijst
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> **** 
> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
> ****  
> 
> 



More information about the Kerberos mailing list