krb5+Ubuntu (maverick, jaunty (LTS))+ssh
Thomas Schweikle
tps at vr-web.de
Mon Nov 22 13:10:10 EST 2010
Am 21.11.2010 19:46, schrieb Brian Candler:
> On Sat, Nov 20, 2010 at 10:45:31PM +0100, Thomas Schweikle wrote:
>> Something about no GSSAPI environment. I'll post the whole thing
>> Tomorrow --- I'll need access to the systems.
>
> Another trick is to run another instance of sshd, on another port, in debug
> mode: e.g.
>
> # sshd -p 99 -d
>From ub0001 to kvm-test (10.04.1 to 10.04.1):
!debug1: Unspecified GSS failure.
! Minor code may provide more information
!Key table entry not found
and on the client side:
!debug1: Authentications that can continue:
! publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context
But:
!tu at kvm-test:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
! 1 host/kvm-test at LOCAL
! 1 host/kvm-test at LOCAL
! 1 host/kvm-test at LOCAL
! 1 host/kvm-test at LOCAL
and
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
! 2 host/ub0001 at LOCAL
! 2 host/ub0001 at LOCAL
! 2 host/ub0001 at LOCAL
! 2 host/ub0001 at LOCAL
ssh asks for password :-(
Now from auth to kvm-test (10.10 to 10.04.1):
!debug1: Unspecified GSS failure.
! Minor code may provide more information
!Key table entry not found
and on the client side:
!debug1: Authentications that can continue:
! publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context
But:
!root at kvm-test:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 1 host/kvm-test at LOCAL
! 1 host/kvm-test at LOCAL
! 1 host/kvm-test at LOCAL
! 1 host/kvm-test at LOCAL
and
!tu at auth:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 1 host/auth at LOCAL
! 1 host/auth at LOCAL
! 1 host/auth at LOCAL
! 1 host/auth at LOCAL
Now from ub0001 to auth (10.04.1 to 10.10):
No password prompt! logged in!
This with:
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 2 host/ub0001 at LOCAL
! 2 host/ub0001 at LOCAL
! 2 host/ub0001 at LOCAL
! 2 host/ub0001 at LOCAL
and:
!root at auth:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
! 1 host/auth at LOCAL
! 1 host/auth at LOCAL
! 1 host/auth at LOCAL
! 1 host/auth at LOCAL
Obvioulsy 10.10 to 10.10 works too.
> Then when you ssh -v -p 99 <user>@<hostname> you will also get debug output
> from the server side.
>
> You need 'GSSAPIAuthentication yes' in /etc/ssh/sshd_config at the server
> side, but presumably you have that as some of the combinations do work.
> (Not 'KerberosAuthentication yes' - that just does password authentication
> with the KDC as the password oracle)
AFAIC this is set. On all machines I have:
/etc/ssh/sshd_config:
!# GSSAPI options
!GSSAPIAuthentication yes
!GSSAPICleanupCredentials yes
!GSSAPIKeyExchange yes
/etc/ssh/ssh_config:
!Host *
! SendEnv LANG LC_*
! HashKnownHosts yes
! GSSAPIAuthentication yes
! GSSAPIDelegateCredentials yes
! GSSAPIKeyExchange yes
--
Thomas
More information about the Kerberos
mailing list