Problem: passwordless SSH-login with Kerberos doesn't work
Hans van Zijst
hans at woefdram.nl
Tue Jun 16 08:55:03 EDT 2009
Hi,
Problem solved! Thanks to Miguel for giving me some hints.
As usual, the problem was minor. It proved that the encryption method I
used to create the keytab was wrong. Google served me several articles
that stated I would have to use single DES. After a long struggle, I
tried the Windows standard: arcfour. That did the trick. That'll teach
me to follow articles just like that... :)
Several articles urged me to use a useraccount instead of a computer
account. I tried both and didn't notice any difference after everything
was in place. The only difference I noticed was while exporting the
keytab: you can map the principal to a user by simply providing the
username. When using a computer account, you have to supply ktpass with
the full path to the computer object.
This is how I exported the keytab:
ktpass -princ host/server.staff.xxxxx.nl at STAFF.XXXXX.NL -mapuser
staff.xxxxx.nl/Werkstations/Networkoperations/Systems/server +rndPass
-ptype KRB5_NT_SRV_HST -out server.keytab
Then I copied this keytab to /etc/krb5.keytab on the server and
everything worked.
Kind regards,
Hans van Zijst
Hans van Zijst wrote:
> Hi,
>
> We, a team of 6, administer tens of Linux servers. The historic heritage
> is that every team member has his own local account on every machine.
> This is a nightmare of course, I don't have to elaborate on that :)
> Recently we decided to use our Active Directory domain for the Linux
> machines as well.
>
> I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM
> and got to the point where we all can login on to the SSH server using
> our Active Directory credentials. At login time, a TGT is automatically
> retrieved through PAM. From there, I thought, it should be easy to
> automatically log into SSH without being asked for a password.
>
> Obviously I was wrong... SSH keeps asking for a password, or exits with
> "permission denied" if I set KerberosOrLocalPassword to "no" in the
> server config. Help... :)
>
> A message in the ssh client-log ("No valid Key exchange context") seems
> to indicate a problem with a keytab. However, the keytabs seem to be
> working just fine. I created these two principals in Active Directory:
>
> host/server.staff.xxxxx.nl at STAFF.XXXXX.NL
> host/client.staff.xxxxx.nl at STAFF.XXXXX.NL
>
> and exported them in a keytab file, without Windows complaining about
> anything. I copied them to /etc/krb5.keytab and if I check them with
> ktutil, the correct principal is there. I read a lot about Kerberos
> being very picky about the principal name being a hostname or FQDN, so I
> connect using the FQDN and put the FQDN in /etc/hosts on both sides.
>
> Can anyone please shed some light on this? I've Googled a lot, but
> haven't found anything useful.
>
> This is what I use. I installed 2 Debian Lenny machines, one as a
> workstation (X, Gnome, the whole shebang), one as a server (no X, only
> SSH really). Both are virtual machines, running in VirtualBox. They have
> their own dedicated IP addresses, registered in DNS (forward and reverse
> map) and the name and IP address of the AD server is in /etc/hosts.
>
> This is the SSH debug log when I try to connect:
>
> -----[ ssh client log ]-----
> ssh -vvvK thisuser at server.staff.xxxxx.nl
>
> OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22.
> debug1: Connection established.
> debug1: identity file /home/thisuser/.ssh/identity type -1
> debug1: identity file /home/thisuser/.ssh/id_rsa type -1
> debug1: identity file /home/thisuser/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug2: fd 3 setting O_NONBLOCK
> debug1: Offering GSSAPI proposal:
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==
>
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
>
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
>
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 132/256
> debug2: bits set: 506/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 3
> debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA
> host key.
> debug1: Found key in /home/thisuser/.ssh/known_hosts:3
> debug2: bits set: 528/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/thisuser/.ssh/identity ((nil))
> debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
> debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: start over, passed a different list
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred:
> gssapi-with-mic,gssapi,publickey,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: gssapi,publickey,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/thisuser/.ssh/identity
> debug3: no such identity: /home/thisuser/.ssh/identity
> debug1: Trying private key: /home/thisuser/.ssh/id_rsa
> debug3: no such identity: /home/thisuser/.ssh/id_rsa
> debug1: Trying private key: /home/thisuser/.ssh/id_dsa
> debug3: no such identity: /home/thisuser/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> ----- -----
>
> And here's the log (at DEBUG level) of the SSH server:
>
> -----[ ssh server log ]-----
> debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
> debug1: Forked child 2475.
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.115.193.8 port 35195
> debug1: Client protocol version 2.0; client software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug1: PAM: initializing for "thisuser"
> debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
> debug1: PAM: setting PAM_TTY to "ssh"
> Failed none for thisuser from 10.115.193.8 port 35195 ssh2
> debug1: Unspecified GSS failure. Minor code may provide more
> information\nNo principal in keytab matches desired name\n
> debug1: do_cleanup
> debug1: PAM: cleanup
> ----- -----
>
>
> This is my SSH config:
>
> -----[ /etc/ssh/sshd_config ]-----
> # Package generated configuration file
> # See the sshd(8) manpage for details
>
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will
> bind to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
>
> # Logging
> SyslogFacility AUTH
> #LogLevel INFO
> LogLevel DEBUG
>
> # Authentication:
> LoginGraceTime 120
> PermitRootLogin yes
> StrictModes yes
>
> RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile %h/.ssh/authorized_keys
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Change to no to disable tunnelled clear text passwords
> #PasswordAuthentication yes
>
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> AcceptEnv LANG LC_*
> Subsystem sftp /usr/lib/openssh/sftp-server
> UsePAM yes
> ----- -----
>
>
> I configured /etc/krb5.conf as follows:
>
> -----[ /etc/krb5.conf ]-----
> [logging]
> default = FILE:/var/log/krb5-lib.log
> kdc = FILE:/var/log/krb5-kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = STAFF.XXXXX.NL
> default_keytab_name = FILE:/etc/krb5.keytab
> dns_lookup_realm = true
> dns_lookup_kdc = true
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> STAFF.XXXXX.NL = {
> kdc = zbdc01
> admin_server = zbdc01
> }
>
> [domain_realm]
> .staff.xxxxx.nl = STAFF.XXXXX.NL
> staff.xxxxx.nl = STAFF.XXXXX.NL
>
> [login]
> krb4_convert = false
> krb4_get_tickets = false
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> validate = true
> }
> ----- -----
>
>
>
> Kind regards,
>
> Hans van Zijst
More information about the Kerberos
mailing list