Configuration Problems
Stefano Elmopi
stefano.elmopi at sociale.it
Wed Apr 28 06:09:59 EDT 2010
Hi,
I'm trying to perform SSH authentication using Kerberos but I am a
beginner.
The steps I followed are those in this guide:
http://www.visolve.com/security/ssh_kerberos.php#Configuring_the_Kerberos_environment
but I definitely made some wrong step and I can not understand where.
My lab is composed of :
server KDC realm.sso1.sociale.it 10.43.165.10
server SSH ldap2.sso1.sociale.it 10.43.165.36
client SSH my machine MacOSX 10.43.130.100
servers are both on the DNS.
###############################################
On server KDC:
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REALM.SSO1.SOCIALE.IT
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
REALM.SSO1.SOCIALE.IT = {
kdc = realm.sso1.sociale.it:88
admin_server = realm.sso1.sociale.it:749
default_domain = sso1.sociale.it
}
[domain_realm]
realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-------------------------------------------------------
kadmin: listprincs
K/M at REALM.SSO1.SOCIALE.IT
admin/admin at REALM.SSO1.SOCIALE.IT
host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
kadmin/admin at REALM.SSO1.SOCIALE.IT
kadmin/changepw at REALM.SSO1.SOCIALE.IT
kadmin/history at REALM.SSO1.SOCIALE.IT
kadmin/realm.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
preside at REALM.SSO1.SOCIALE.IT
###############################################
###############################################
On the server SSH
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REALM.SSO1.SOCIALE.IT
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
REALM.SSO1.SOCIALE.IT = {
kdc = realm.sso1.sociale.it:88
admin_server = realm.sso1.sociale.it:749
default_domain = sso1.sociale.it
}
[domain_realm]
realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-------------------------------------------------------
kadmin: ktadd -k /etc/krb5.keytab host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
-------------------------------------------------------
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG3
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/
ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account
and
# session checks to run without PAM authentication, then enable this
but set
# ChallengeResponseAuthentication=no
UsePAM no
## UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
###############################################
###############################################
cat /Library/Preferences/edu.mit.Kerberos
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REALM.SSO1.SOCIALE.IT
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
REALM.SSO1.SOCIALE.IT = {
kdc = realm.sso1.sociale.it:88
admin_server = realm.sso1.sociale.it:749
default_domain = sso1.sociale.it
}
[domain_realm]
realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
###############################################
From my machine I do:
kinit preside
Please enter the password for preside at REALM.SSO1.SOCIALE.IT:
klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: preside at REALM.SSO1.SOCIALE.IT
Valid Starting Expires Service Principal
04/28/10 11:32:52 04/29/10 11:32:52 krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
renew until 04/28/10 11:32:52
But when I do
ssh preside at ldap2.sso1.sociale.it
the operation is not good, asks me the password.
if I do it again:
klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: preside at REALM.SSO1.SOCIALE.IT
Valid Starting Expires Service Principal
04/28/10 11:32:52 04/29/10 11:32:52 krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
renew until 04/28/10 11:32:52
04/28/10 11:36:26 04/29/10 11:32:52 host/ldap2.sso1.sociale.it@
renew until 04/28/10 11:32:52
On the server SSH, in the log file /var/log/secure, the lines that I
think are significant are:
Apr 28 11:15:59 ldap2 sshd[4375]: debug1: userauth-request for user
preside service ssh-connection method none
Apr 28 11:15:59 ldap2 sshd[4375]: debug1: attempt 0 failures 0
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow entering
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:
type 7
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow: waiting
for MONITOR_ANS_PWNAM
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking
request 7
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive_expect
entering: type 8
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive entering
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: auth_shadow_acctexpired:
today 14727 sp_expire -1 days left -14728
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: account expiration disabled
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow:
sending MONITOR_ANS_PWNAM: 1
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_send entering:
type 8
Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request:
setting up authctxt for preside
Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 7 used once,
disabling now
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authserv entering
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:
type 3
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authrole entering
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking
request 3
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:
type 4
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_authserv:
service=ssh-connection, style=
Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request: try
method none
Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 3 used once,
disabling now
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user
preside service ssh-connection method gssapi-with-mic
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 1 failures 1
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking
request 4
Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try
method gssapi-with-mic
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_answer_authrole: role=
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering:
type 38
Apr 28 11:16:00 ldap2 sshd[4374]: debug2: monitor_read: 4 used once,
disabling now
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect
entering: type 39
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking
request 38
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering:
type 39
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: Normalising mapped IPv4 in
IPv6 address
Apr 28 11:16:00 ldap2 sshd[4375]: Postponed gssapi-with-mic for
preside from 10.43.130.100 port 50310 ssh2
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering:
type 40
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect
entering: type 41
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking
request 40
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Unspecified GSS failure.
Minor code may provide more information\nUnknown code krb5 144\n
Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Got no client credentials
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering:
type 41
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user
preside service ssh-connection method gssapi-with-mic
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 2 failures 2
Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try
method gssapi-with-mic
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user
preside service ssh-connection method gssapi-with-mic
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 3 failures 3
Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try
method gssapi-with-mic
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user
preside service ssh-connection method publickey
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 4 failures 4
Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try
method publickey
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: test whether pkalg/pkblob
are acceptable
On the server KDC, in the log file /var/log/krb5kdc.log I have the
following line the first time
I try to connect after I've done kinit :
realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.43.130.100: ISSUE: authtime 1272447967, etypes {rep=16
tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
If after the first time, I try to connect again and when the server
asks me for my password,
I block the transaction, in the log file do not see anything
but if I enter the password in the file log I have:
realm.sso1.sociale.it krb5kdc[2546](info): AS_REQ (12 etypes {18 17 16
23 1 3 2 11 10 15 12 13}) 10.43.165.36: ISSUE: authtime 1272448910,
etypes {rep=16 tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.43.165.36: ISSUE: authtime 1272448910, etypes {rep=16
tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
someone help me know....... I'm going crazy
Thanks
Ing. Stefano Elmopi
Gruppo Darco - Resp. ICT Sistemi
Via Ostiense 131/L Corpo B, 00154 Roma
cell. 3466147165
tel. 0657060500
email:stefano.elmopi at sociale.it
"Ai sensi e per effetti della legge sulla tutela della riservatezza
personale
(D.lgs n. 196/2003), questa @mail e' destinata unicamente alle
persone sopra
indicate e le informazioni in essa contenute sono da considerarsi
strettamente
riservate. E' proibito leggere, copiare, usare o diffondere il
contenuto della
presente @mail senza autorizzazione. Se avete ricevuto questo
messaggio per
errore, siete pregati di rispedire la stessa al mittente. Grazie"
More information about the Kerberos
mailing list