ssh gssapi-with-mic and "Key table entry not found"
Matt Garman
matthew.garman at gmail.com
Tue Aug 7 13:23:29 EDT 2012
Hi,
I'm trying to get ssh working using gssapi-with-mic authentication. I have
about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4
mounts with "krb5p" security. All these machines mount the same NFSv4 share
(think home directories) so my users need to be able to forward their TGT
around.)
What I'm ultimately running into is sshd complaining "Key table entry not
found" on *most* of the servers---a random handful work, and I can't figure
out how the working ones are different.
So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using
gssapi-with-mic authentication.
Here's the output of trying to ssh:
[matt at lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications
gssapi-with-mic" lnxsvr11
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to lnxsvr11 [192.168.187.67] port 22.
debug1: Connection established.
debug1: identity file /mnt/home/matt/.ssh/identity type -1
debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1
debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'lnxsvr11' is known and matches the RSA host key.
debug1: Found key in /mnt/home/matt/.ssh/known_hosts:207
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).
On the server side, /var/log/secure, with sshd running with LogLevel DEBUG:
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: rexec start in 4 out
4 newsock 4 pipe 6 sock 7
Aug 7 11:53:06 lnxsvr11 sshd[4804]: debug1: Forked child 4998.
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: inetd sockets after
dupping: 3, 3
Aug 7 11:53:06 lnxsvr11 sshd[4998]: Connection from
192.168.187.61 port 43559
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Client protocol
version 2.0; client software version OpenSSH_4.3
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: match: OpenSSH_4.3 pat OpenSSH*
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Enabling
compatibility mode for protocol 2.0
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Local version string
SSH-2.0-OpenSSH_4.3
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: permanently_set_uid: 74/74
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: list_hostkey_types:
ssh-rsa,ssh-dss
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT sent
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT received
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: client->server
aes128-ctr hmac-md5 none
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: server->client
aes128-ctr hmac-md5 none
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS sent
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting SSH2_MSG_NEWKEYS
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS received
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: KEX done
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method none
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 0 failures 0
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: initializing for "matt"
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method gssapi-with-mic
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 1 failures 1
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting
PAM_RHOST to "lnxsvr3.mydomain.com"
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting PAM_TTY to "ssh"
Aug 7 11:53:06 lnxsvr11 sshd[5001]: Postponed gssapi-with-mic for
matt from 192.168.187.61 port 43559 ssh2
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Unspecified GSS
failure. Minor code may provide more information\nKey table entry not
found\n
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Got no client credentials
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method gssapi-with-mic
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 2 failures 2
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
user matt service ssh-connection method gssapi-with-mic
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 3 failures 3
Aug 7 11:53:06 lnxsvr11 sshd[5001]: Connection closed by 192.168.187.61
Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: do_cleanup
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: do_cleanup
Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: cleanup
Based on the web searching I've done for this issue, it seems the most common
culprit is DNS issues. But as far as I can tell, my /etc/hosts and DNS are
set up correctly and in agreement. So here is the output of various commands
on lnxsvr11:
[root at lnxsvr11 ~]# klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
5 08/07/12 11:39:04 host/lnxsvr11.mydomain.com at MYDOMAIN.COM
(DES cbc mode with CRC-32)
5 08/07/12 11:39:45 nfs/lnxsvr11.mydomain.com at MYDOMAIN.COM (DES
cbc mode with CRC-32)
[root at lnxsvr11 ~]# hostname
lnxsvr11.mydomain.com
[root at lnxsvr11 ~]# hostname
lnxsvr11
[root at lnxsvr11 ~]# hostname -s
lnxsvr11
[root at lnxsvr11 ~]# hostname -f
lnxsvr11.mydomain.com
[root at lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts
192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
[root at lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts
192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
[root at lnxsvr11 ~]# grep "lnxsvr11$" /etc/hosts
192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
[root at lnxsvr11 ~]# dig -x 192.168.187.67
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 192.168.187.67
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13806
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;67.187.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
67.187.168.192.in-addr.arpa. 604800 IN PTR lnxsvr11.mydomain.com.
;; AUTHORITY SECTION:
187.168.192.in-addr.arpa. 604800 IN NS ns1.mydomain.com.
;; ADDITIONAL SECTION:
ns1.mydomain.com. 604800 IN A 192.168.184.7
;; Query time: 1 msec
;; SERVER: 192.168.184.7#53(192.168.184.7)
;; WHEN: Tue Aug 7 11:59:35 2012
;; MSG SIZE rcvd: 120
Can anyone see anything obvious that I'm missing?
Thanks,
Matt
More information about the Kerberos
mailing list