Configuration Problems
Alexander Luedtke
alex at sec.in.tum.de
Thu Apr 29 04:11:03 EDT 2010
Hi Stefano,
you need for each "server" - in your case sshd - on every maschine a
Kerberos principal.
ssh/.... at ....
and take a look at your ntp.conf - all of your machines need to have the
same time !
Greetings
Alex
On 04/28/2010 12:09 PM, Stefano Elmopi wrote:
>
>
> Hi,
>
> I'm trying to perform SSH authentication using Kerberos but I am a
> beginner.
> The steps I followed are those in this guide:
>
> http://www.visolve.com/security/ssh_kerberos.php#Configuring_the_Kerberos_environment
>
> but I definitely made some wrong step and I can not understand where.
> My lab is composed of :
> server KDC realm.sso1.sociale.it 10.43.165.10
> server SSH ldap2.sso1.sociale.it 10.43.165.36
> client SSH my machine MacOSX 10.43.130.100
>
> servers are both on the DNS.
>
> ###############################################
> On server KDC:
>
> cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = REALM.SSO1.SOCIALE.IT
> default_keytab_name = FILE:/etc/krb5.keytab
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> REALM.SSO1.SOCIALE.IT = {
> kdc = realm.sso1.sociale.it:88
> admin_server = realm.sso1.sociale.it:749
> default_domain = sso1.sociale.it
> }
>
> [domain_realm]
> realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> -------------------------------------------------------
>
> kadmin: listprincs
> K/M at REALM.SSO1.SOCIALE.IT
> admin/admin at REALM.SSO1.SOCIALE.IT
> host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
> kadmin/admin at REALM.SSO1.SOCIALE.IT
> kadmin/changepw at REALM.SSO1.SOCIALE.IT
> kadmin/history at REALM.SSO1.SOCIALE.IT
> kadmin/realm.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
> krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
> preside at REALM.SSO1.SOCIALE.IT
> ###############################################
>
> ###############################################
> On the server SSH
>
> cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = REALM.SSO1.SOCIALE.IT
> default_keytab_name = FILE:/etc/krb5.keytab
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> REALM.SSO1.SOCIALE.IT = {
> kdc = realm.sso1.sociale.it:88
> admin_server = realm.sso1.sociale.it:749
> default_domain = sso1.sociale.it
> }
>
> [domain_realm]
> realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT
>
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> -------------------------------------------------------
>
> kadmin: ktadd -k /etc/krb5.keytab host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
>
> -------------------------------------------------------
>
> cat /etc/ssh/sshd_config
> # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> #Port 22
> #Protocol 2,1
> Protocol 2
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
> LogLevel DEBUG3
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/
> ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> PasswordAuthentication yes
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> KerberosAuthentication yes
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication mechanism.
> # Depending on your PAM configuration, this may bypass the setting of
> # PasswordAuthentication, PermitEmptyPasswords, and
> # "PermitRootLogin without-password". If you just want the PAM account
> and
> # session checks to run without PAM authentication, then enable this
> but set
> # ChallengeResponseAuthentication=no
> UsePAM no
> ## UsePAM yes
>
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner /some/path
>
> # override default of no subsystems
> Subsystem sftp /usr/libexec/openssh/sftp-server
> ###############################################
>
> ###############################################
>
> cat /Library/Preferences/edu.mit.Kerberos
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = REALM.SSO1.SOCIALE.IT
> default_keytab_name = FILE:/etc/krb5.keytab
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> REALM.SSO1.SOCIALE.IT = {
> kdc = realm.sso1.sociale.it:88
> admin_server = realm.sso1.sociale.it:749
> default_domain = sso1.sociale.it
> }
>
> [domain_realm]
> realm.sso1.sociale.it = REALM.SSO1.SOCIALE.IT
>
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> ###############################################
>
> From my machine I do:
>
> kinit preside
> Please enter the password for preside at REALM.SSO1.SOCIALE.IT:
>
> klist
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: preside at REALM.SSO1.SOCIALE.IT
>
> Valid Starting Expires Service Principal
> 04/28/10 11:32:52 04/29/10 11:32:52 krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
> renew until 04/28/10 11:32:52
>
> But when I do
>
> ssh preside at ldap2.sso1.sociale.it
>
> the operation is not good, asks me the password.
> if I do it again:
>
> klist
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: preside at REALM.SSO1.SOCIALE.IT
>
> Valid Starting Expires Service Principal
> 04/28/10 11:32:52 04/29/10 11:32:52 krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
> renew until 04/28/10 11:32:52
> 04/28/10 11:36:26 04/29/10 11:32:52 host/ldap2.sso1.sociale.it@
> renew until 04/28/10 11:32:52
>
> On the server SSH, in the log file /var/log/secure, the lines that I
> think are significant are:
>
> Apr 28 11:15:59 ldap2 sshd[4375]: debug1: userauth-request for user
> preside service ssh-connection method none
> Apr 28 11:15:59 ldap2 sshd[4375]: debug1: attempt 0 failures 0
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow entering
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:
> type 7
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_getpwnamallow: waiting
> for MONITOR_ANS_PWNAM
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking
> request 7
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive_expect
> entering: type 8
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_receive entering
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: auth_shadow_acctexpired:
> today 14727 sp_expire -1 days left -14728
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: account expiration disabled
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_pwnamallow:
> sending MONITOR_ANS_PWNAM: 1
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_send entering:
> type 8
> Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request:
> setting up authctxt for preside
> Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 7 used once,
> disabling now
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authserv entering
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_request_receive entering
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:
> type 3
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_inform_authrole entering
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: monitor_read: checking
> request 3
> Apr 28 11:15:59 ldap2 sshd[4375]: debug3: mm_request_send entering:
> type 4
> Apr 28 11:15:59 ldap2 sshd[4374]: debug3: mm_answer_authserv:
> service=ssh-connection, style=
> Apr 28 11:15:59 ldap2 sshd[4375]: debug2: input_userauth_request: try
> method none
> Apr 28 11:15:59 ldap2 sshd[4374]: debug2: monitor_read: 3 used once,
> disabling now
> Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user
> preside service ssh-connection method gssapi-with-mic
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
> Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 1 failures 1
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking
> request 4
> Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try
> method gssapi-with-mic
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_answer_authrole: role=
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering:
> type 38
> Apr 28 11:16:00 ldap2 sshd[4374]: debug2: monitor_read: 4 used once,
> disabling now
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect
> entering: type 39
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking
> request 38
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering:
> type 39
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: Normalising mapped IPv4 in
> IPv6 address
> Apr 28 11:16:00 ldap2 sshd[4375]: Postponed gssapi-with-mic for
> preside from 10.43.130.100 port 50310 ssh2
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_send entering:
> type 40
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive_expect
> entering: type 41
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: monitor_read: checking
> request 40
> Apr 28 11:16:00 ldap2 sshd[4375]: debug3: mm_request_receive entering
> Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Unspecified GSS failure.
> Minor code may provide more information\nUnknown code krb5 144\n
> Apr 28 11:16:00 ldap2 sshd[4374]: debug1: Got no client credentials
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_send entering:
> type 41
> Apr 28 11:16:00 ldap2 sshd[4374]: debug3: mm_request_receive entering
> Apr 28 11:16:00 ldap2 sshd[4375]: debug1: userauth-request for user
> preside service ssh-connection method gssapi-with-mic
> Apr 28 11:16:00 ldap2 sshd[4375]: debug1: attempt 2 failures 2
> Apr 28 11:16:00 ldap2 sshd[4375]: debug2: input_userauth_request: try
> method gssapi-with-mic
> Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user
> preside service ssh-connection method gssapi-with-mic
> Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 3 failures 3
> Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try
> method gssapi-with-mic
> Apr 28 11:16:01 ldap2 sshd[4375]: debug1: userauth-request for user
> preside service ssh-connection method publickey
> Apr 28 11:16:01 ldap2 sshd[4375]: debug1: attempt 4 failures 4
> Apr 28 11:16:01 ldap2 sshd[4375]: debug2: input_userauth_request: try
> method publickey
> Apr 28 11:16:01 ldap2 sshd[4375]: debug1: test whether pkalg/pkblob
> are acceptable
>
>
> On the server KDC, in the log file /var/log/krb5kdc.log I have the
> following line the first time
> I try to connect after I've done kinit :
>
> realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 10.43.130.100: ISSUE: authtime 1272447967, etypes {rep=16
> tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
>
> If after the first time, I try to connect again and when the server
> asks me for my password,
> I block the transaction, in the log file do not see anything
> but if I enter the password in the file log I have:
>
> realm.sso1.sociale.it krb5kdc[2546](info): AS_REQ (12 etypes {18 17 16
> 23 1 3 2 11 10 15 12 13}) 10.43.165.36: ISSUE: authtime 1272448910,
> etypes {rep=16 tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for krbtgt/REALM.SSO1.SOCIALE.IT at REALM.SSO1.SOCIALE.IT
> realm.sso1.sociale.it krb5kdc[2546](info): TGS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 10.43.165.36: ISSUE: authtime 1272448910, etypes {rep=16
> tkt=16 ses=16}, preside at REALM.SSO1.SOCIALE.IT for host/ldap2.sso1.sociale.it at REALM.SSO1.SOCIALE.IT
>
> someone help me know....... I'm going crazy
> Thanks
>
>
>
>
>
>
> Ing. Stefano Elmopi
> Gruppo Darco - Resp. ICT Sistemi
> Via Ostiense 131/L Corpo B, 00154 Roma
>
> cell. 3466147165
> tel. 0657060500
> email:stefano.elmopi at sociale.it
>
> "Ai sensi e per effetti della legge sulla tutela della riservatezza
> personale
> (D.lgs n. 196/2003), questa @mail e' destinata unicamente alle
> persone sopra
> indicate e le informazioni in essa contenute sono da considerarsi
> strettamente
> riservate. E' proibito leggere, copiare, usare o diffondere il
> contenuto della
> presente @mail senza autorizzazione. Se avete ricevuto questo
> messaggio per
> errore, siete pregati di rispedire la stessa al mittente. Grazie"
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Alexander Luedtke
Systemadministrator
Adresse: TUM - Garching Boltzmannstr. 3 85748 Garching b. Muenchen
Lehrstuhl: I20 - Frau Prof. Eckert
Zimmer: 01.08.036
Tel: ++49 (89) 289 - 18039
Fax: ++49 (89) 289 - 18579
More information about the Kerberos
mailing list