Fwd: help

evangeline eleanor evangeline.eleanor at gmail.com
Sun Nov 7 11:55:36 EST 2010


Hi, I've got a problem connecting via ssh with kerberos to my server.
Here are some logs to clarify things:

A log from the client ssh part:
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 93.103.50.247.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password



A log from the server ssh part:
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user test service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for test from 193.95.233.106 port 50608 ssh2
debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 0
Postponed gssapi-with-mic for test from 193.95.233.106 port 50608 ssh2
debug1: Unspecified GSS failure.  Minor code may provide more information
Wrong principal in request

debug1: Got no client credentials
debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 1
debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic
debug1: attempt 3 failures 1


A kerberos log while trying to ssh onto the server (from client):
Nov 07 11:49:10 pentest-security.dyndns.org krb5kdc[9034](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 193.95.233.106: ISSUE: authtime
1289126950, etypes {rep=16 tkt=16 ses=16},
test at PENTEST-SECURITY.DYNDNS.ORG for
krbtgt/PENTEST-SECURITY.DYNDNS.ORG at PENTEST-SECURITY.DYNDNS.ORG
Nov 07 11:49:20 pentest-security.dyndns.org krb5kdc[9034](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 193.95.233.106: ISSUE: authtime
1289126950, etypes {rep=16 tkt=16 ses=16},
test at PENTEST-SECURITY.DYNDNS.ORG for
host/93-103-50-247.dynamic.dsl.t-2.net at PENTEST-SECURITY.DYNDNS.ORG
Nov 07 11:49:20 pentest-security.dyndns.org krb5kdc[9034](info):
TGS_REQ (1 etypes {16}) 193.95.233.106: ISSUE: authtime 1289126950,
etypes {rep=16 tkt=16 ses=16}, test at PENTEST-SECURITY.DYNDNS.ORG for
krbtgt/PENTEST-SECURITY.DYNDNS.ORG at PENTEST-SECURITY.DYNDNS.ORG


So, does anybody have any idea what to do in order to make the ssh
with kerberos work? This is my dns settings in krb5.conf:
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false

I don't know what's wrong, but people on the kerberos irc channel said
it could be the reverse dns though. A few of dns stuff is printed
here:
# hostname
pentest-security.dyndns.org
# host 36.145.110.193
Host 193.110.145.36.in-addr.arpa. not found: 3(NXDOMAIN)

And this is what I have in kerberos database, the "listprincs" command:
eleanor at PENTEST-SECURITY.DYNDNS.ORG
K/M at PENTEST-SECURITY.DYNDNS.ORG
krbtgt/PENTEST-SECURITY.DYNDNS.ORG at PENTEST-SECURITY.DYNDNS.ORG
kadmin/admin at PENTEST-SECURITY.DYNDNS.ORG
kadmin/changepw at PENTEST-SECURITY.DYNDNS.ORG
kadmin/history at PENTEST-SECURITY.DYNDNS.ORG
kadmin/pentest-security.dyndns.org at PENTEST-SECURITY.DYNDNS.ORG
host/93-103-50-247.dynamic.dsl.t-2.net at PENTEST-SECURITY.DYNDNS.ORG
admin/admin at PENTEST-SECURITY.DYNDNS.ORG
host/pentest-security.dyndns.org at PENTEST-SECURITY.DYNDNS.ORG
test at PENTEST-SECURITY.DYNDNS.ORG
host at PENTEST-SECURITY.DYNDNS.ORG


Any ideas anyone?



More information about the Kerberos mailing list