Kerberos5 + SSH Questions
Lee Eric
openlinuxsource at gmail.com
Mon Jan 3 19:25:36 EST 2011
Sorry guys. I notice that I have attached the file but seemed ml
ignored that. So I will paste here. Thanks very much.
==========Client krb5.conf==========
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HERDINGCAT.INTERNAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HERDINGCAT.INTERNAL = {
kdc = ns.herdingcat.internal
admin_server = ns.herdingcat.internal
}
[domain_realm]
.herdingcat.internal = HERDINGCAT.INTERNAL
herdingcat.internal = HERDINGCAT.INTERNAL
==========Server krb5.conf==========
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HERDINGCAT.INTERNAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HERDINGCAT.INTERNAL = {
kdc = ns.herdingcat.internal
admin_server = ns.herdingcat.internal
}
[domain_realm]
.herdingcat.internal = HERDINGCAT.INTERNAL
herdingcat.internal = HERDINGCAT.INTERNAL
==========Client ssh_config==========
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
==========Server sshd_config==========
Protocol 2
SyslogFacility AUTHPRIV
MaxAuthTries 6
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
==========Client klist output==========
[ericlee at client1 ~]$ kinit -f
Password for ericlee at HERDINGCAT.INTERNAL:
[ericlee at client1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: ericlee at HERDINGCAT.INTERNAL
Valid starting Expires Service principal
01/03/11 07:59:34 01/04/11 07:59:28
krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
renew until 01/03/11 07:59:34
01/03/11 08:00:41 01/04/11 07:59:28
host/ns.herdingcat.internal at HERDINGCAT.INTERNAL
renew until 01/03/11 07:59:34
==========Client ssh -vvv login output==========
[ericlee at client1 ~]$ ssh -vvv ericlee at ns.herdingcat.internal
OpenSSH_5.4p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to ns.herdingcat.internal [172.16.14.1] port 22.
debug1: Connection established.
debug1: identity file /home/ericlee/.ssh/id_rsa type -1
debug1: identity file /home/ericlee/.ssh/id_rsa-cert type -1
debug1: identity file /home/ericlee/.ssh/id_dsa type -1
debug1: identity file /home/ericlee/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 145/256
debug2: bits set: 500/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host ns.herdingcat.internal filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: host ns.herdingcat.internal filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: host 172.16.14.1 filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: host 172.16.14.1 filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'ns.herdingcat.internal' is known and matches the RSA host key.
debug1: Found key in /home/ericlee/.ssh/known_hosts:1
debug2: bits set: 514/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ericlee/.ssh/id_rsa ((nil))
debug2: key: /home/ericlee/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 172.16.14.1.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic).
Regards,
Eric
On Tue, Jan 4, 2011 at 6:31 AM, Russ Allbery <rra at stanford.edu> wrote:
> Brian Candler <B.Candler at pobox.com> writes:
>> On Mon, Jan 03, 2011 at 09:53:45PM +0000, Simon Wilkinson wrote:
>
>>> Yes. They added it in Fedora 13, and I'm told RHEL6 also ships with
>>> this patch enabled. Pretty much the only vendors that don't have GSSAPI
>>> key exchange support now are the BSDs.
>
>> Any idea about the Debian-derivatives? I checked on ubuntu 10.04 and
>> I didn't see this option commented out in /etc/ssh/sshd_config
>
> Debian and Debian derivatives have had this patch applied for quite a
> while. I forget the point at which ssh-krb5 was merged in with ssh, but
> it was at least by etch. And it was available as ssh-krb5 for longer than
> that.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list