Problem: passwordless SSH-login with Kerberos doesn't work

Hans van Zijst hans at woefdram.nl
Tue Jun 16 08:55:03 EDT 2009


Hi,

Problem solved! Thanks to Miguel for giving me some hints.

As usual, the problem was minor. It proved that the encryption method I 
used to create the keytab was wrong. Google served me several articles 
that stated I would have to use single DES. After a long struggle, I 
tried the Windows standard: arcfour. That did the trick. That'll teach 
me to follow articles just like that... :)

Several articles urged me to use a useraccount instead of a computer 
account. I tried both and didn't notice any difference after everything 
was in place. The only difference I noticed was while exporting the 
keytab: you can map the principal to a user by simply providing the 
username. When using a computer account, you have to supply ktpass with 
the full path to the computer object.

This is how I exported the keytab:

ktpass -princ host/server.staff.xxxxx.nl at STAFF.XXXXX.NL -mapuser 
staff.xxxxx.nl/Werkstations/Networkoperations/Systems/server +rndPass 
-ptype KRB5_NT_SRV_HST -out server.keytab

Then I copied this keytab to /etc/krb5.keytab on the server and 
everything worked.

Kind regards,

Hans van Zijst


Hans van Zijst wrote:
> Hi,
> 
> We, a team of 6, administer tens of Linux servers. The historic heritage 
> is that every team member has his own local account on every machine. 
> This is a nightmare of course, I don't have to elaborate on that :) 
> Recently we decided to use our Active Directory domain for the Linux 
> machines as well.
> 
> I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM 
> and got to the point where we all can login on to the SSH server using 
> our Active Directory credentials. At login time, a TGT is automatically 
> retrieved through PAM. From there, I thought, it should be easy to 
> automatically log into SSH without being asked for a password.
> 
> Obviously I was wrong... SSH keeps asking for a password, or exits with 
> "permission denied" if I set KerberosOrLocalPassword to "no" in the 
> server config. Help... :)
> 
> A message in the ssh client-log ("No valid Key exchange context") seems 
> to indicate a problem with a keytab. However, the keytabs seem to be 
> working just fine. I created these two principals in Active Directory:
> 
> host/server.staff.xxxxx.nl at STAFF.XXXXX.NL
> host/client.staff.xxxxx.nl at STAFF.XXXXX.NL
> 
> and exported them in a keytab file, without Windows complaining about 
> anything. I copied them to /etc/krb5.keytab and if I check them with 
> ktutil, the correct principal is there. I read a lot about Kerberos 
> being very picky about the principal name being a hostname or FQDN, so I 
> connect using the FQDN and put the FQDN in /etc/hosts on both sides.
> 
> Can anyone please shed some light on this? I've Googled a lot, but 
> haven't found anything useful.
> 
> This is what I use. I installed 2 Debian Lenny machines, one as a 
> workstation (X, Gnome, the whole shebang), one as a server (no X, only 
> SSH really). Both are virtual machines, running in VirtualBox. They have 
> their own dedicated IP addresses, registered in DNS (forward and reverse 
> map) and the name and IP address of the AD server is in /etc/hosts.
> 
> This is the SSH debug log when I try to connect:
> 
> -----[ ssh client log ]-----
> ssh -vvvK thisuser at server.staff.xxxxx.nl
> 
> OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22.
> debug1: Connection established.
> debug1: identity file /home/thisuser/.ssh/identity type -1
> debug1: identity file /home/thisuser/.ssh/id_rsa type -1
> debug1: identity file /home/thisuser/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version 
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug2: fd 3 setting O_NONBLOCK
> debug1: Offering GSSAPI proposal: 
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ== 
> 
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: 
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
> 
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr 
> 
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr 
> 
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 
> 
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 
> 
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: 
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
> 
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr 
> 
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr 
> 
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 
> 
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 
> 
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 132/256
> debug2: bits set: 506/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 3
> debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA 
> host key.
> debug1: Found key in /home/thisuser/.ssh/known_hosts:3
> debug2: bits set: 528/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/thisuser/.ssh/identity ((nil))
> debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
> debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: start over, passed a different list 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: preferred 
> gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred: 
> gssapi-with-mic,gssapi,publickey,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: gssapi,publickey,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/thisuser/.ssh/identity
> debug3: no such identity: /home/thisuser/.ssh/identity
> debug1: Trying private key: /home/thisuser/.ssh/id_rsa
> debug3: no such identity: /home/thisuser/.ssh/id_rsa
> debug1: Trying private key: /home/thisuser/.ssh/id_dsa
> debug3: no such identity: /home/thisuser/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> ----- -----
> 
> And here's the log (at DEBUG level) of the SSH server:
> 
> -----[ ssh server log ]-----
> debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
> debug1: Forked child 2475.
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.115.193.8 port 35195
> debug1: Client protocol version 2.0; client software version 
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug1: PAM: initializing for "thisuser"
> debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
> debug1: PAM: setting PAM_TTY to "ssh"
> Failed none for thisuser from 10.115.193.8 port 35195 ssh2
> debug1: Unspecified GSS failure.  Minor code may provide more 
> information\nNo principal in keytab matches desired name\n
> debug1: do_cleanup
> debug1: PAM: cleanup
> ----- -----
> 
> 
> This is my SSH config:
> 
> -----[ /etc/ssh/sshd_config ]-----
> # Package generated configuration file
> # See the sshd(8) manpage for details
> 
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will 
> bind to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
> 
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
> 
> # Logging
> SyslogFacility AUTH
> #LogLevel INFO
> LogLevel DEBUG
> 
> # Authentication:
> LoginGraceTime 120
> PermitRootLogin yes
> StrictModes yes
> 
> RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile    %h/.ssh/authorized_keys
> 
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for 
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> 
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
> 
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
> 
> # Change to no to disable tunnelled clear text passwords
> #PasswordAuthentication yes
> 
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> 
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> AcceptEnv LANG LC_*
> Subsystem sftp /usr/lib/openssh/sftp-server
> UsePAM yes
> ----- -----
> 
> 
> I configured /etc/krb5.conf as follows:
> 
> -----[ /etc/krb5.conf ]-----
> [logging]
> default        = FILE:/var/log/krb5-lib.log
> kdc        = FILE:/var/log/krb5-kdc.log
> admin_server    = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>     default_realm        = STAFF.XXXXX.NL
>     default_keytab_name    = FILE:/etc/krb5.keytab
>     dns_lookup_realm    = true
>     dns_lookup_kdc        = true
>     kdc_timesync        = 1
>     ccache_type        = 4
>     forwardable        = true
>     proxiable        = true
> 
> [realms]
>     STAFF.XXXXX.NL = {
>         kdc        = zbdc01
>         admin_server    = zbdc01
>     }
> 
> [domain_realm]
>     .staff.xxxxx.nl    = STAFF.XXXXX.NL
>     staff.xxxxx.nl    = STAFF.XXXXX.NL
> 
> [login]
>     krb4_convert        = false
>     krb4_get_tickets    = false
> 
> [appdefaults]
>     pam = {
>         debug        = false
>         ticket_lifetime    = 36000
>         renew_lifetime    = 36000
>         forwardable    = true
>         krb4_convert    = false
>         validate    = true
>     }
> ----- -----
> 
> 
> 
> Kind regards,
> 
> Hans van Zijst



More information about the Kerberos mailing list