still have password authentication with ssh

Douglas E. Engert deengert at anl.gov
Mon Jul 23 10:55:31 EDT 2007 


Nils Achtergarde wrote:
> Douglas E. Engert schrieb:
>> The more interesting log would have been from sshd.
> Can't find a sshd-logfile.
> I tried to run the ssh-krb5 with -d switch for debugging, but this
> doesn't seem to work for the kerberized ssh-daemon.
> How do I get any debug messages?

You should beable to starta sshd deamin with debugging on a seperate port,

something like:

  /usr/sbin/sshd -d -d -d -p 2222

then have the client connect to this port.

  ssh -p 2222 ...

>>
>> Doc_symbiosis wrote:
>>> Hi,
>>>
>>> I'm just testing Kerberos and wonder, why ssh still wants a password. On
>>> both PCs ( server with Ubuntu feisty client with Ubuntu Dapper ), the
>>> user
>>> has the krbTGT and after running the ssh-command on the client, I
>>> also have
>>> a host ticket of the server on it.
>> Do the user names and the principal name in the ticket match?
> The username and the principal's name in the ticket match.
>> It could be you need to have a ~/.k5login file in the home directory
>> of the user on the server side.
>>
>> It could also be the service principal name used by the server does
>> not agree with what sshd thinks it should be, and so sshd can not
>> find the service principal in the kerberos keytab file on the server.
>>
> What principal does the sshd expect? I searched a long time, didn't get
> any information and ao I added ssh/myserver.mydom.loc as service pricipal.

No it is expecting host/myserver.mydom.loc at realm

All the "login" type daemons (krlogin, ksh, telnet, pam_krb5) use the "host"
service name, as they all in effect login the user.


> But I thought, that i can spare this with kerberized ssh.
You mght, if the sshd_config
>> The syslog and/or the debug output of the sshd should show the above.
>>
>>> Here's the output of ssh -v user at server
>>> <code>
>>> OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-10, OpenSSL 0.9.7g 11 Apr 2005
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: Connecting to nils.bfk.loc [192.168.1.210] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /root/.ssh/identity type -1
>>> debug1: identity file /root/.ssh/id_rsa type -1
>>> debug1: identity file /root/.ssh/id_dsa type -1
>>> debug1: Remote protocol version 2.0, remote software version
>>> OpenSSH_4.3p2
>>> Debian-8ubuntu1
>>> debug1: match: OpenSSH_4.3p2 Debian-8ubuntu1 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1  Debian-krb5
>>> 3.8.1p1-10
>>> debug1: Mechanism encoded as toWM5Slw5Ew8Mqkay+al2g==
>>> debug1: Mechanism encoded as A/vxljAEU54gt9a48EiANQ==
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-cbc hmac-md5 none
>>> debug1: kex: client->server aes128-cbc hmac-md5 none
>>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>> debug1: Host 'nils.bfk.loc' is known and matches the RSA host key.
>>> debug1: Found key in /root/.ssh/known_hosts:2
>>> debug1: ssh_rsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>> debug1: Next authentication method: gssapi-with-mic
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /root/.ssh/identity
>>> debug1: Trying private key: /root/.ssh/id_rsa
>>> debug1: Trying private key: /root/.ssh/id_dsa
>>> debug1: Next authentication method: password
>>> </code>
>>>
>>> I have installed ssh-krb5 on both PCs and set    
>>> GSSAPIAuthentication yes
>>>     GSSAPIDelegateCredentials yes
>>> in the ssh_config and in sshd_config I have set
>>>      GSSAPIAuthentication yes
>>>      GSSAPICleanupCredentials yes
>>>
>>> Anyone got an idea, what's wrong?
>>> I followed two instructions command by command, but both end in the same
>>> result.
>>> Thanks in advance
>>>
>>>
> So, my main problem is to get any debug report from ssh-krb5.
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list