ssh gssapi-with-mic and "Key table entry not found"

Matt Garman matthew.garman at gmail.com
Tue Aug 7 13:23:29 EDT 2012


Hi,

I'm trying to get ssh working using gssapi-with-mic authentication.  I have
about 40 machines running CentOS 5.7.  (My bigger goal is to use NFSv4
mounts with "krb5p" security.  All these machines mount the same NFSv4 share
(think home directories) so my users need to be able to forward their TGT
around.)

What I'm ultimately running into is sshd complaining "Key table entry not
found" on *most* of the servers---a random handful work, and I can't figure
out how the working ones are different.

So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using
gssapi-with-mic authentication.

Here's the output of trying to ssh:
    [matt at lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications
gssapi-with-mic" lnxsvr11
    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to lnxsvr11 [192.168.187.67] port 22.
    debug1: Connection established.
    debug1: identity file /mnt/home/matt/.ssh/identity type -1
    debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1
    debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1
    debug1: loaded 3 keys
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
    debug1: match: OpenSSH_4.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'lnxsvr11' is known and matches the RSA host key.
    debug1: Found key in /mnt/home/matt/.ssh/known_hosts:207
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
    debug1: Next authentication method: gssapi-with-mic
    debug1: Delegating credentials
    debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
    debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
    debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-with-mic,password).

On the server side, /var/log/secure, with sshd running with LogLevel DEBUG:
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: rexec start in 4 out
4 newsock 4 pipe 6 sock 7
    Aug  7 11:53:06 lnxsvr11 sshd[4804]: debug1: Forked child 4998.
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: inetd sockets after
dupping: 3, 3
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: Connection from
192.168.187.61 port 43559
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Client protocol
version 2.0; client software version OpenSSH_4.3
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: match: OpenSSH_4.3 pat OpenSSH*
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Enabling
compatibility mode for protocol 2.0
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Local version string
SSH-2.0-OpenSSH_4.3
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: permanently_set_uid: 74/74
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: list_hostkey_types:
ssh-rsa,ssh-dss
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT sent
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT received
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: client->server
aes128-ctr hmac-md5 none
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: server->client
aes128-ctr hmac-md5 none
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS sent
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting SSH2_MSG_NEWKEYS
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS received
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: KEX done
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method none
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 0 failures 0
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: initializing for "matt"
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method gssapi-with-mic
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 1 failures 1
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting
PAM_RHOST to "lnxsvr3.mydomain.com"
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting PAM_TTY to "ssh"
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: Postponed gssapi-with-mic for
matt from 192.168.187.61 port 43559 ssh2
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Unspecified GSS
failure.  Minor code may provide more information\nKey table entry not
found\n
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Got no client credentials
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method gssapi-with-mic
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 2 failures 2
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method gssapi-with-mic
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 3 failures 3
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: Connection closed by 192.168.187.61
    Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: do_cleanup
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: do_cleanup
    Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: cleanup

Based on the web searching I've done for this issue, it seems the most common
culprit is DNS issues.  But as far as I can tell, my /etc/hosts and DNS are
set up correctly and in agreement.  So here is the output of various commands
on lnxsvr11:

    [root at lnxsvr11 ~]# klist -ekt
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp         Principal
    ---- -----------------
--------------------------------------------------------
       5 08/07/12 11:39:04 host/lnxsvr11.mydomain.com at MYDOMAIN.COM
(DES cbc mode with CRC-32)
       5 08/07/12 11:39:45 nfs/lnxsvr11.mydomain.com at MYDOMAIN.COM (DES
cbc mode with CRC-32)

    [root at lnxsvr11 ~]# hostname
    lnxsvr11.mydomain.com
    [root at lnxsvr11 ~]# hostname
    lnxsvr11
    [root at lnxsvr11 ~]# hostname -s
    lnxsvr11
    [root at lnxsvr11 ~]# hostname -f
    lnxsvr11.mydomain.com

    [root at lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts
    192.168.187.67     lnxsvr11.mydomain.com      lnxsvr11
    [root at lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts
    192.168.187.67     lnxsvr11.mydomain.com      lnxsvr11
    [root at lnxsvr11 ~]# grep "lnxsvr11$" /etc/hosts
    192.168.187.67     lnxsvr11.mydomain.com      lnxsvr11

    [root at lnxsvr11 ~]# dig -x 192.168.187.67

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 192.168.187.67
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13806
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;67.187.168.192.in-addr.arpa.   IN      PTR

    ;; ANSWER SECTION:
    67.187.168.192.in-addr.arpa. 604800 IN  PTR     lnxsvr11.mydomain.com.

    ;; AUTHORITY SECTION:
    187.168.192.in-addr.arpa. 604800 IN     NS      ns1.mydomain.com.

    ;; ADDITIONAL SECTION:
    ns1.mydomain.com. 604800  IN      A       192.168.184.7

    ;; Query time: 1 msec
    ;; SERVER: 192.168.184.7#53(192.168.184.7)
    ;; WHEN: Tue Aug  7 11:59:35 2012
    ;; MSG SIZE  rcvd: 120

Can anyone see anything obvious that I'm missing?

Thanks,
Matt


More information about the Kerberos mailing list