krb5+Ubuntu (maverick, jaunty (LTS))+ssh

Thomas Schweikle tps at vr-web.de
Mon Nov 22 13:10:10 EST 2010


Am 21.11.2010 19:46, schrieb Brian Candler:
> On Sat, Nov 20, 2010 at 10:45:31PM +0100, Thomas Schweikle wrote:
>> Something about no GSSAPI environment. I'll post the whole thing
>> Tomorrow --- I'll need access to the systems.
> 
> Another trick is to run another instance of sshd, on another port, in debug
> mode: e.g.
> 
>     # sshd -p 99 -d

>From ub0001 to kvm-test (10.04.1 to 10.04.1):
!debug1: Unspecified GSS failure.
!  Minor code may provide more information
!Key table entry not found

and on the client side:
!debug1: Authentications that can continue:
!  publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context

But:
!tu at kvm-test:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
!   1 host/kvm-test at LOCAL
!   1 host/kvm-test at LOCAL
!   1 host/kvm-test at LOCAL
!   1 host/kvm-test at LOCAL

and
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
!   2 host/ub0001 at LOCAL
!   2 host/ub0001 at LOCAL
!   2 host/ub0001 at LOCAL
!   2 host/ub0001 at LOCAL

ssh asks for password :-(


Now from auth to kvm-test (10.10 to 10.04.1):
!debug1: Unspecified GSS failure.
!  Minor code may provide more information
!Key table entry not found

and on the client side:
!debug1: Authentications that can continue:
!  publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context

But:
!root at kvm-test:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   1 host/kvm-test at LOCAL
!   1 host/kvm-test at LOCAL
!   1 host/kvm-test at LOCAL
!   1 host/kvm-test at LOCAL

and
!tu at auth:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   1 host/auth at LOCAL
!   1 host/auth at LOCAL
!   1 host/auth at LOCAL
!   1 host/auth at LOCAL


Now from ub0001 to auth (10.04.1 to 10.10):
No password prompt! logged in!

This with:
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   2 host/ub0001 at LOCAL
!   2 host/ub0001 at LOCAL
!   2 host/ub0001 at LOCAL
!   2 host/ub0001 at LOCAL

and:
!root at auth:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   1 host/auth at LOCAL
!   1 host/auth at LOCAL
!   1 host/auth at LOCAL
!   1 host/auth at LOCAL

Obvioulsy 10.10 to 10.10 works too.


> Then when you ssh -v -p 99 <user>@<hostname> you will also get debug output
> from the server side.
> 
> You need 'GSSAPIAuthentication yes' in /etc/ssh/sshd_config at the server
> side, but presumably you have that as some of the combinations do work.
> (Not 'KerberosAuthentication yes' - that just does password authentication
> with the KDC as the password oracle)

AFAIC this is set. On all machines I have:
/etc/ssh/sshd_config:
!# GSSAPI options
!GSSAPIAuthentication yes
!GSSAPICleanupCredentials yes
!GSSAPIKeyExchange yes

/etc/ssh/ssh_config:
!Host *
!    SendEnv LANG LC_*
!    HashKnownHosts yes
!    GSSAPIAuthentication yes
!    GSSAPIDelegateCredentials yes
!    GSSAPIKeyExchange yes

-- 
Thomas



More information about the Kerberos mailing list