ssh gssapi-with-mic and "Key table entry not found"
Simo Sorce
simo at redhat.com
Tue Aug 7 13:49:03 EDT 2012
On Tue, 2012-08-07 at 12:23 -0500, Matt Garman wrote:
> Hi,
>
> I'm trying to get ssh working using gssapi-with-mic authentication. I have
> about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4
> mounts with "krb5p" security. All these machines mount the same NFSv4 share
> (think home directories) so my users need to be able to forward their TGT
> around.)
>
> What I'm ultimately running into is sshd complaining "Key table entry not
> found" on *most* of the servers---a random handful work, and I can't figure
> out how the working ones are different.
>
> So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using
> gssapi-with-mic authentication.
>
> Here's the output of trying to ssh:
> [matt at lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications
> gssapi-with-mic" lnxsvr11
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to lnxsvr11 [192.168.187.67] port 22.
> debug1: Connection established.
> debug1: identity file /mnt/home/matt/.ssh/identity type -1
> debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1
> debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1
> debug1: loaded 3 keys
> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'lnxsvr11' is known and matches the RSA host key.
> debug1: Found key in /mnt/home/matt/.ssh/known_hosts:207
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-with-mic,password).
>
> On the server side, /var/log/secure, with sshd running with LogLevel DEBUG:
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: rexec start in 4 out
> 4 newsock 4 pipe 6 sock 7
> Aug 7 11:53:06 lnxsvr11 sshd[4804]: debug1: Forked child 4998.
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: inetd sockets after
> dupping: 3, 3
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: Connection from
> 192.168.187.61 port 43559
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Client protocol
> version 2.0; client software version OpenSSH_4.3
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: match: OpenSSH_4.3 pat OpenSSH*
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Enabling
> compatibility mode for protocol 2.0
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Local version string
> SSH-2.0-OpenSSH_4.3
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: permanently_set_uid: 74/74
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: list_hostkey_types:
> ssh-rsa,ssh-dss
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT sent
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT received
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: client->server
> aes128-ctr hmac-md5 none
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: server->client
> aes128-ctr hmac-md5 none
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST received
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting
> SSH2_MSG_KEX_DH_GEX_INIT
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS sent
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting SSH2_MSG_NEWKEYS
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS received
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: KEX done
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method none
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 0 failures 0
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: initializing for "matt"
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method gssapi-with-mic
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 1 failures 1
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting
> PAM_RHOST to "lnxsvr3.mydomain.com"
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting PAM_TTY to "ssh"
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: Postponed gssapi-with-mic for
> matt from 192.168.187.61 port 43559 ssh2
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Unspecified GSS
> failure. Minor code may provide more information\nKey table entry not
> found\n
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Got no client credentials
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method gssapi-with-mic
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 2 failures 2
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for
> user matt service ssh-connection method gssapi-with-mic
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 3 failures 3
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: Connection closed by 192.168.187.61
> Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: do_cleanup
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: do_cleanup
> Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: cleanup
>
> Based on the web searching I've done for this issue, it seems the most common
> culprit is DNS issues. But as far as I can tell, my /etc/hosts and DNS are
> set up correctly and in agreement. So here is the output of various commands
> on lnxsvr11:
>
> [root at lnxsvr11 ~]# klist -ekt
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 5 08/07/12 11:39:04 host/lnxsvr11.mydomain.com at MYDOMAIN.COM
> (DES cbc mode with CRC-32)
> 5 08/07/12 11:39:45 nfs/lnxsvr11.mydomain.com at MYDOMAIN.COM (DES
> cbc mode with CRC-32)
>
> [root at lnxsvr11 ~]# hostname
> lnxsvr11.mydomain.com
> [root at lnxsvr11 ~]# hostname
> lnxsvr11
> [root at lnxsvr11 ~]# hostname -s
> lnxsvr11
> [root at lnxsvr11 ~]# hostname -f
> lnxsvr11.mydomain.com
>
> [root at lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts
> 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
> [root at lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts
> 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
> [root at lnxsvr11 ~]# grep "lnxsvr11$" /etc/hosts
> 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
>
> [root at lnxsvr11 ~]# dig -x 192.168.187.67
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 192.168.187.67
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13806
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;67.187.168.192.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 67.187.168.192.in-addr.arpa. 604800 IN PTR lnxsvr11.mydomain.com.
>
> ;; AUTHORITY SECTION:
> 187.168.192.in-addr.arpa. 604800 IN NS ns1.mydomain.com.
>
> ;; ADDITIONAL SECTION:
> ns1.mydomain.com. 604800 IN A 192.168.184.7
>
> ;; Query time: 1 msec
> ;; SERVER: 192.168.184.7#53(192.168.184.7)
> ;; WHEN: Tue Aug 7 11:59:35 2012
> ;; MSG SIZE rcvd: 120
>
> Can anyone see anything obvious that I'm missing?
What does the 'hostname' command return on your machine ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list