ssh gssapi-with-mic and "Key table entry not found"

Simo Sorce simo at redhat.com
Tue Aug 7 13:49:03 EDT 2012


On Tue, 2012-08-07 at 12:23 -0500, Matt Garman wrote:
> Hi,
> 
> I'm trying to get ssh working using gssapi-with-mic authentication.  I have
> about 40 machines running CentOS 5.7.  (My bigger goal is to use NFSv4
> mounts with "krb5p" security.  All these machines mount the same NFSv4 share
> (think home directories) so my users need to be able to forward their TGT
> around.)
> 
> What I'm ultimately running into is sshd complaining "Key table entry not
> found" on *most* of the servers---a random handful work, and I can't figure
> out how the working ones are different.
> 
> So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using
> gssapi-with-mic authentication.
> 
> Here's the output of trying to ssh:
>     [matt at lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications
> gssapi-with-mic" lnxsvr11
>     OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>     debug1: Reading configuration data /etc/ssh/ssh_config
>     debug1: Applying options for *
>     debug1: Connecting to lnxsvr11 [192.168.187.67] port 22.
>     debug1: Connection established.
>     debug1: identity file /mnt/home/matt/.ssh/identity type -1
>     debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1
>     debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1
>     debug1: loaded 3 keys
>     debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
>     debug1: match: OpenSSH_4.3 pat OpenSSH*
>     debug1: Enabling compatibility mode for protocol 2.0
>     debug1: Local version string SSH-2.0-OpenSSH_4.3
>     debug1: SSH2_MSG_KEXINIT sent
>     debug1: SSH2_MSG_KEXINIT received
>     debug1: kex: server->client aes128-ctr hmac-md5 none
>     debug1: kex: client->server aes128-ctr hmac-md5 none
>     debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>     debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>     debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>     debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>     debug1: Host 'lnxsvr11' is known and matches the RSA host key.
>     debug1: Found key in /mnt/home/matt/.ssh/known_hosts:207
>     debug1: ssh_rsa_verify: signature correct
>     debug1: SSH2_MSG_NEWKEYS sent
>     debug1: expecting SSH2_MSG_NEWKEYS
>     debug1: SSH2_MSG_NEWKEYS received
>     debug1: SSH2_MSG_SERVICE_REQUEST sent
>     debug1: SSH2_MSG_SERVICE_ACCEPT received
>     debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
>     debug1: Next authentication method: gssapi-with-mic
>     debug1: Delegating credentials
>     debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
>     debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
>     debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
>     debug1: No more authentication methods to try.
>     Permission denied (publickey,gssapi-with-mic,password).
> 
> On the server side, /var/log/secure, with sshd running with LogLevel DEBUG:
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: rexec start in 4 out
> 4 newsock 4 pipe 6 sock 7
>     Aug  7 11:53:06 lnxsvr11 sshd[4804]: debug1: Forked child 4998.
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: inetd sockets after
> dupping: 3, 3
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: Connection from
> 192.168.187.61 port 43559
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Client protocol
> version 2.0; client software version OpenSSH_4.3
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: match: OpenSSH_4.3 pat OpenSSH*
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Enabling
> compatibility mode for protocol 2.0
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Local version string
> SSH-2.0-OpenSSH_4.3
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: permanently_set_uid: 74/74
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: list_hostkey_types:
> ssh-rsa,ssh-dss
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT sent
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT received
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: client->server
> aes128-ctr hmac-md5 none
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: server->client
> aes128-ctr hmac-md5 none
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST received
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting
> SSH2_MSG_KEX_DH_GEX_INIT
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS sent
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting SSH2_MSG_NEWKEYS
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS received
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: KEX done
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method none
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 0 failures 0
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: initializing for "matt"
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method gssapi-with-mic
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 1 failures 1
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting
> PAM_RHOST to "lnxsvr3.mydomain.com"
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting PAM_TTY to "ssh"
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: Postponed gssapi-with-mic for
> matt from 192.168.187.61 port 43559 ssh2
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Unspecified GSS
> failure.  Minor code may provide more information\nKey table entry not
> found\n
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: Got no client credentials
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method gssapi-with-mic
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 2 failures 2
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method gssapi-with-mic
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 3 failures 3
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: Connection closed by 192.168.187.61
>     Aug  7 11:53:06 lnxsvr11 sshd[5001]: debug1: do_cleanup
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: do_cleanup
>     Aug  7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: cleanup
> 
> Based on the web searching I've done for this issue, it seems the most common
> culprit is DNS issues.  But as far as I can tell, my /etc/hosts and DNS are
> set up correctly and in agreement.  So here is the output of various commands
> on lnxsvr11:
> 
>     [root at lnxsvr11 ~]# klist -ekt
>     Keytab name: FILE:/etc/krb5.keytab
>     KVNO Timestamp         Principal
>     ---- -----------------
> --------------------------------------------------------
>        5 08/07/12 11:39:04 host/lnxsvr11.mydomain.com at MYDOMAIN.COM
> (DES cbc mode with CRC-32)
>        5 08/07/12 11:39:45 nfs/lnxsvr11.mydomain.com at MYDOMAIN.COM (DES
> cbc mode with CRC-32)
> 
>     [root at lnxsvr11 ~]# hostname
>     lnxsvr11.mydomain.com
>     [root at lnxsvr11 ~]# hostname
>     lnxsvr11
>     [root at lnxsvr11 ~]# hostname -s
>     lnxsvr11
>     [root at lnxsvr11 ~]# hostname -f
>     lnxsvr11.mydomain.com
> 
>     [root at lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts
>     192.168.187.67     lnxsvr11.mydomain.com      lnxsvr11
>     [root at lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts
>     192.168.187.67     lnxsvr11.mydomain.com      lnxsvr11
>     [root at lnxsvr11 ~]# grep "lnxsvr11$" /etc/hosts
>     192.168.187.67     lnxsvr11.mydomain.com      lnxsvr11
> 
>     [root at lnxsvr11 ~]# dig -x 192.168.187.67
> 
>     ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 192.168.187.67
>     ;; global options:  printcmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13806
>     ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> 
>     ;; QUESTION SECTION:
>     ;67.187.168.192.in-addr.arpa.   IN      PTR
> 
>     ;; ANSWER SECTION:
>     67.187.168.192.in-addr.arpa. 604800 IN  PTR     lnxsvr11.mydomain.com.
> 
>     ;; AUTHORITY SECTION:
>     187.168.192.in-addr.arpa. 604800 IN     NS      ns1.mydomain.com.
> 
>     ;; ADDITIONAL SECTION:
>     ns1.mydomain.com. 604800  IN      A       192.168.184.7
> 
>     ;; Query time: 1 msec
>     ;; SERVER: 192.168.184.7#53(192.168.184.7)
>     ;; WHEN: Tue Aug  7 11:59:35 2012
>     ;; MSG SIZE  rcvd: 120
> 
> Can anyone see anything obvious that I'm missing?

What does the 'hostname' command return on your machine ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list