Configuration Problems

Stefano Elmopi stefano.elmopi at sociale.it
Wed Apr 28 06:09:59 EDT 2010




Hi,

I'm trying to perform SSH authentication using Kerberos but I am a  
beginner.
The steps I followed are those in this guide:

http://www.visolve.com/security/ssh_kerberos.php#Configuring_the_Kerberos_environment

but I definitely made some wrong step and I can not understand where.
My lab is composed of :
server KDC		realm.sso1.sociale.it 10.43.165.10
server SSH		ldap2.sso1.sociale.it 10.43.165.36
client SSH		my machine MacOSX	  10.43.130.100

servers are both on the DNS.

###############################################
On server KDC:

cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = REALM.SSO1.SOCIALE.IT
  default_keytab_name = FILE:/etc/krb5.keytab
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  REALM.SSO1.SOCIALE.IT = {
   kdc = realm.sso1.sociale.it:88
   admin_server = realm.sso1.sociale.it:749
   default_domain = sso1.sociale.it
  }

[domain_realm]
  realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

-------------------------------------------------------

kadmin:  listprincs
K/M at REALM.SSO1.SOCIALE.IT
admin/admin at REALM.SSO1.SOCIALE.IT
host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
kadmin/admin at REALM.SSO1.SOCIALE.IT
kadmin/changepw at REALM.SSO1.SOCIALE.IT
kadmin/history at REALM.SSO1.SOCIALE.IT
kadmin/realm.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
preside at REALM.SSO1.SOCIALE.IT
###############################################

###############################################
On the server SSH

cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = REALM.SSO1.SOCIALE.IT
  default_keytab_name = FILE:/etc/krb5.keytab
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  REALM.SSO1.SOCIALE.IT = {
   kdc = realm.sso1.sociale.it:88
   admin_server = realm.sso1.sociale.it:749
   default_domain = sso1.sociale.it
  }

[domain_realm]
realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

-------------------------------------------------------

kadmin:  ktadd -k /etc/krb5.keytab host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT

-------------------------------------------------------

cat /etc/ssh/sshd_config
#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ 
ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account  
and
# session checks to run without PAM authentication, then enable this  
but set
# ChallengeResponseAuthentication=no
UsePAM no
## UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY  
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server
###############################################

###############################################

cat /Library/Preferences/edu.mit.Kerberos
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = REALM.SSO1.SOCIALE.IT
  default_keytab_name = FILE:/etc/krb5.keytab
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  REALM.SSO1.SOCIALE.IT = {
   kdc = realm.sso1.sociale.it:88
   admin_server = realm.sso1.sociale.it:749
   default_domain = sso1.sociale.it
  }

[domain_realm]
realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

###############################################

 From my machine I do:

kinit preside
Please enter the password for preside at REALM.SSO1.SOCIALE.IT:

klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: preside at REALM.SSO1.SOCIALE.IT

Valid Starting     Expires            Service Principal
04/28/10 11:32:52  04/29/10 11:32:52  krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
	renew until 04/28/10 11:32:52
	
But when I do

ssh preside at ldap2.sso1.sociale.it

the operation is not good, asks me the password.
if I do it again:

klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: preside at REALM.SSO1.SOCIALE.IT

Valid Starting     Expires            Service Principal
04/28/10 11:32:52  04/29/10 11:32:52  krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
	renew until 04/28/10 11:32:52
04/28/10 11:36:26  04/29/10 11:32:52  host/ldap2.sso1.sociale.it@
	renew until 04/28/10 11:32:52
	
On the server SSH, in the log file /var/log/secure, the lines that I  
think are significant are:

Apr 28 11:15:59 ldap2 sshd[4375]: debug1: userauth-request for user  
preside service ssh-connection method none
Apr 28 11:15:59 ldap2 sshd[4375]: debug1: attempt 0 failures 0
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow entering
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:  
type 7
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow: waiting  
for MONITOR_ANS_PWNAM
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking  
request 7
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive_expect  
entering: type 8
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive entering
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: auth_shadow_acctexpired:  
today 14727 sp_expire -1 days left -14728
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: account expiration disabled
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow:  
sending MONITOR_ANS_PWNAM: 1
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_send entering:  
type 8
Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request:  
setting up authctxt for preside
Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 7 used once,  
disabling now
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authserv entering
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:  
type 3
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authrole entering
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking  
request 3
Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:  
type 4
Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_authserv:  
service=ssh-connection, style=
Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request: try  
method none
Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 3 used once,  
disabling now
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user  
preside service ssh-connection method gssapi-with-mic
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 1 failures 1
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking  
request 4
Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try  
method gssapi-with-mic
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_answer_authrole: role=
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering:  
type 38
Apr 28 11:16:00 ldap2 sshd[4374]: debug2: monitor_read: 4 used once,  
disabling now
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect  
entering: type 39
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking  
request 38
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering:  
type 39
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: Normalising mapped IPv4 in  
IPv6 address
Apr 28 11:16:00 ldap2 sshd[4375]: Postponed gssapi-with-mic for  
preside from 10.43.130.100 port 50310 ssh2
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering:  
type 40
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect  
entering: type 41
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking  
request 40
Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Unspecified GSS failure.   
Minor code may provide more information\nUnknown code krb5 144\n
Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Got no client credentials
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering:  
type 41
Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user  
preside service ssh-connection method gssapi-with-mic
Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 2 failures 2
Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try  
method gssapi-with-mic
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user  
preside service ssh-connection method gssapi-with-mic
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 3 failures 3
Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try  
method gssapi-with-mic
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user  
preside service ssh-connection method publickey
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 4 failures 4
Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try  
method publickey
Apr 28 11:16:01 ldap2 sshd[4375]: debug1: test whether pkalg/pkblob  
are acceptable


On the server KDC, in the log file /var/log/krb5kdc.log I have the  
following line the first time
I try to connect after I've done kinit :

realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16  
23 1 3 2}) 10.43.130.100: ISSUE: authtime 1272447967, etypes {rep=16  
tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT

If after the first time, I try to connect again and when the server  
asks me for my password,
I block the transaction, in the log file do not see anything
but if I enter the password in the file log I have:

realm.sso1.sociale.it krb5kdc[2546](info): AS_REQ (12 etypes {18 17 16  
23 1 3 2 11 10 15 12 13}) 10.43.165.36: ISSUE: authtime 1272448910,  
etypes {rep=16 tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16  
23 1 3 2}) 10.43.165.36: ISSUE: authtime 1272448910, etypes {rep=16  
tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT

someone help me know....... I'm going crazy
Thanks






Ing. Stefano Elmopi
Gruppo Darco - Resp. ICT Sistemi
Via Ostiense 131/L Corpo B, 00154 Roma

cell. 3466147165
tel.  0657060500
email:stefano.elmopi at sociale.it

"Ai sensi e per effetti della legge sulla tutela  della  riservatezza  
personale
(D.lgs n. 196/2003),  questa @mail e' destinata  unicamente alle  
persone sopra
indicate e le informazioni in essa contenute sono da considerarsi  
strettamente
riservate. E' proibito leggere, copiare, usare o diffondere il  
contenuto della
presente @mail  senza  autorizzazione. Se avete ricevuto  questo  
messaggio per
errore, siete pregati di rispedire la stessa al mittente. Grazie"




More information about the Kerberos mailing list