Going across a firewall
Mauricio Tavares
raubvogel at gmail.com
Tue Sep 6 13:34:07 EDT 2011
On Tue, Sep 6, 2011 at 10:12 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On Tue, 2011-09-06 at 04:15 -0400, Mauricio Tavares wrote:
>> Now, when I try to ssh from externalbox to the kdc, it seems that
>> gssapi-with-mic isn't working:
>
> Usually the best way to debug auth problems with ssh is to
> run /path/to/sshd -d -p XXXX on the server and ssh -p XXXX on the
> client, for some alternate port number XXXX. The client doesn't usually
> know much about what went wrong and displays even less.
>
> If your server's Kerberos library is new enough (and is MIT krb5),
> setting KRB5_TRACE=/some/filename can provided a little more information
> on top of the debugging output. That can also work on the client, but
> is unlikely to be as useful there.
>
Thanks for the suggestions! For some reason I could not get the
KRB5_TRACE to work (mit kerberos 1.8.4 is what I am using; probably
ancient), but if you look at the output I got below, the message I got
was "Wrong principal in request". Does that mean the host principal of
the client (externalbox in my example)?
>From sshd -d -p 10022:
Connection from 192.168.11.188 port 44630
debug1: Client protocol version 2.0; client software version
OpenSSH_5.8p1 Debian-1ubuntu3
debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
debug1: permanently_set_uid: 104/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user testuser service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "testuser"
debug1: PAM: setting PAM_RHOST to "192.168.11.188"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 0
Postponed gssapi-with-mic for testuser from 192.168.11.188 port 44630 ssh2
debug1: Unspecified GSS failure. Minor code may provide more information
Wrong principal in request
debug1: Got no client credentials
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 1
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 3 failures 1
>From /var/log/auth.log
Sep 6 13:11:51 kdc sshd[14429]: debug1: private host key: #0 type 1 RSA
Sep 6 13:11:51 kdc sshd[14429]: debug1: read PEM private key done: type DSA
Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.DSA-1024
Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file
/etc/ssh/blacklist.DSA-1024
Sep 6 13:11:51 kdc sshd[14429]: debug1: private host key: #1 type 2 DSA
Sep 6 13:11:51 kdc sshd[14429]: debug1: read PEM private key done: type ECDSA
Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.ECDSA-256
Sep 6 13:11:51 kdc sshd[14429]: debug1: Checking blacklist file
/etc/ssh/blacklist.ECDSA-256
Sep 6 13:11:51 kdc sshd[14429]: debug1: private host key: #2 type 3 ECDSA
Sep 6 13:11:51 kdc krb5kdc[13460]: TGS_REQ (1 etypes {18})
192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18
ses=18}, testuser at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
Sep 6 13:13:19 kdc sshd[14466]: debug1: sshd version OpenSSH_5.8p1
Debian-1ubuntu3
Sep 6 13:13:19 kdc sshd[14466]: debug1: read PEM private key done: type RSA
Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.RSA-2048
Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file
/etc/ssh/blacklist.RSA-2048
Sep 6 13:13:19 kdc sshd[14466]: debug1: private host key: #0 type 1 RSA
Sep 6 13:13:19 kdc sshd[14466]: debug1: read PEM private key done: type DSA
Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.DSA-1024
Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file
/etc/ssh/blacklist.DSA-1024
Sep 6 13:13:19 kdc sshd[14466]: debug1: private host key: #1 type 2 DSA
Sep 6 13:13:19 kdc sshd[14466]: debug1: read PEM private key done: type ECDSA
Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.ECDSA-256
Sep 6 13:13:19 kdc sshd[14466]: debug1: Checking blacklist file
/etc/ssh/blacklist.ECDSA-256
Sep 6 13:13:19 kdc sshd[14466]: debug1: private host key: #2 type 3 ECDSA
Sep 6 13:13:20 kdc krb5kdc[13460]: TGS_REQ (1 etypes {18})
192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18
ses=18}, testuser at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
More information about the Kerberos
mailing list