Single Sign on not working
Mauricio Tavares
raubvogel at gmail.com
Mon Mar 5 09:38:51 EST 2012
On Mon, Mar 5, 2012 at 9:18 AM, Basil Kurian <basilkurian at gmail.com> wrote:
> Hi
>
>
> I 'm trying to implement single signon using kerberos+LDAP. I 'm able to
> login to servers , but next time also , I 'm asked enter credentials. That
> is authentication is working , but single sign on feature is not working .
>
>
>
> [root at client ~]# ssh bkurian at ldap2.shadow.com
> bkurian at ldap2.shadow.com's password:
> Last login: Mon Mar 5 19:39:11 2012 from client.shadow.com
> [bkurian at ldap2 ~]$ logout
>
> Connection to ldap2.shadow.com closed.
> [root at client ~]# ssh bkurian at ldap2.shadow.com -vvv
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to ldap2.shadow.com [192.168.122.48] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: loaded 3 keys
> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 115/256
> debug2: bits set: 550/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 4
> debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 4
> debug1: Host 'ldap2.shadow.com' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:4
> debug2: bits set: 528/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /root/.ssh/identity ((nil))
> debug2: key: /root/.ssh/id_rsa ((nil))
> debug2: key: /root/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug3: start over, passed a different list
> publickey,gssapi-with-mic,password
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 192.168.122.48.
> debug1: Unspecified GSS failure. Minor code may provide more information
> No credentials cache found
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No credentials cache found
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No credentials cache found
>
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /root/.ssh/identity
> debug3: no such identity: /root/.ssh/identity
> debug1: Trying private key: /root/.ssh/id_rsa
> debug3: no such identity: /root/.ssh/id_rsa
> debug1: Trying private key: /root/.ssh/id_dsa
> debug3: no such identity: /root/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> bkurian at ldap2.shadow.com's password:
>
>
>
>
> *This is how the KDC logs looks like *
>
>
> Mar 05 19:44:06 kdc.shadow.com krb5kdc[21385](info): AS_REQ (12 etypes {18
> 17 16 23 1 3 2 11 10 15 12 13}) 192.168.122.48: ISSUE: authtime 1330956846,
> etypes {rep=16 tkt=16 ses=16}, bkurian at SHADOW.COM for krbtgt/
> SHADOW.COM at SHADOW.COM
> Mar 05 19:44:06 kdc.shadow.com krb5kdc[21385](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.122.48: ISSUE: authtime 1330956846, etypes {rep=16
> tkt=16 ses=16}, bkurian at SHADOW.COM for host/ldap2.shadow.com at SHADOW.COM
>
>
>
>
> *This is how the sshd logs of remote server looks like *
>
>
> Mar 5 19:44:08 ldap2 sshd[2917]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client.shadow.com
> user=bkurian
> Mar 5 19:44:08 ldap2 sshd[2917]: pam_krb5[2917]: TGT verified using key
> for 'host/ldap2.shadow.com at SHADOW.COM'
> Mar 5 19:44:08 ldap2 sshd[2917]: pam_krb5[2917]: authentication succeeds
> for 'bkurian' (bkurian at SHADOW.COM)
> Mar 5 19:44:08 ldap2 sshd[2917]: Accepted password for bkurian from
> 192.168.122.140 port 56598 ssh2
> Mar 5 19:44:08 ldap2 sshd[2917]: pam_unix(sshd:session): session opened
> for user bkurian by (uid=0)
>
See if you can find out why ssh thinks you do not have a cache file:
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
Does klist (as root?) still report a proper working ticket? Did you
ssh successfully, then logged out, made coffee, and tried again, when
it failed?
>
>
> --
> Regards
>
> Basil
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list