still have password authentication with ssh

Douglas E. Engert deengert at anl.gov
Mon Jul 23 17:39:55 EDT 2007 


Nils Achtergarde wrote:
> I'm sorry for the confusion, but the nils-PC was from an old
> installation. So no from scratch:
> 
> I'm getting password authentification, allthough I've installed kerberos.
> So what am I missing?
> 
> The kdc and admin--server is called filebase.bfk.loc, the ssh-server is
> called kerb-server.fra.loc and the ssh-client kerb-client.fra.loc.
> The user is called nils. The realm is called BFK.LOC

Oh.
Does the krb5.conf on both server and client have a
[domain_realm]
   .fra.loc = BFK.LOC

both the client and server use this to derive a realm name from
a host name. Without this the server may be assuming it is in realm FRA.LOC




> 
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> The debug on the ssh-server:
> 
> Jul 23 15:58:09 kerb-server sshd[3215]: Connection from ::ffff:10.0.0.90
> port 50968
> Jul 23 15:58:09 kerb-server sshd[3185]: debug1: Forked child 3215.
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: Client protocol version
> 2.0; client software version OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-10
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: match: OpenSSH_3.8.1p1 
> Debian-krb5 3.8.1p1-10 pat OpenSSH*
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: Enabling compatibility
> mode for protocol 2.0
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: Local version string
> SSH-2.0-OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-10
> Jul 23 15:58:09 kerb-server sshd[3215]: debug2: Network child is on pid 3216
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: Miscellaneous failure No
> principal in keytab matches desired name
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: Miscellaneous failure No
> principal in keytab matches desired name
> Jul 23 15:58:09 kerb-server sshd[3215]: debug2: monitor_read: 0 used
> once, disabling now
> Jul 23 15:58:09 kerb-server sshd[3215]: debug2: monitor_read: 4 used
> once, disabling now
> Jul 23 15:58:09 kerb-server sshd[3215]: debug2: monitor_read: 6 used
> once, disabling now
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: PAM: initializing for "nils"
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: PAM: setting PAM_RHOST
> to "kerb-client"
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: PAM: setting PAM_TTY to
> "ssh"
> Jul 23 15:58:09 kerb-server sshd[3215]: debug2: monitor_read: 51 used
> once, disabling now
> Jul 23 15:58:09 kerb-server sshd[3215]: debug2: monitor_read: 3 used
> once, disabling now
> Jul 23 15:58:09 kerb-server sshd[3215]: Failed none for nils from
> ::ffff:10.0.0.90 port 50968 ssh2
> Jul 23 15:58:09 kerb-server sshd[3215]: debug1: Miscellaneous failure No
> principal in keytab matches desired name
> Jul 23 15:58:15 kerb-server sshd[3215]: debug1: do_cleanup
> Jul 23 15:58:15 kerb-server sshd[3215]: debug1: PAM: cleanup
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> "klist -k" on kerb-server:
>    3 host/kerb-server.fra.loc at BFK.LOC
>    3 host/kerb-server.fra.loc at BFK.LOC
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> "klist -k" on kerb-client:  
>    3 host/kerb-client.fra.loc at BFK.LOC
>    3 host/kerb-client.fra.loc at BFK.LOC
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> "klist" on kerb-client before connecting:
> Ticket cache: FILE:/tmp/krb5cc_1001_N3rPSz
> Default principal: nils at BFK.LOC
> 
> Valid starting     Expires            Service principal
> 07/23/07 15:57:28  07/24/07 01:57:28  krbtgt/BFK.LOC at BFK.LOC
>         renew until 07/24/07 15:57:24
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> "klist" on kerb-client after trying to connect:
> Ticket cache: FILE:/tmp/krb5cc_1001_N3rPSz
> Default principal: nils at BFK.LOC
> 
> Valid starting     Expires            Service principal
> 07/23/07 15:57:28  07/24/07 01:57:28  krbtgt/BFK.LOC at BFK.LOC
>         renew until 07/24/07 15:57:24
> 07/23/07 15:58:12  07/24/07 01:57:28  host/kerb-server.fra.loc at BFK.LOC
>         renew until 07/24/07 15:57:24
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> "kadmin.local -q "listprincs"" on filebase.bfk.loc:
> 
> K/M at BFK.LOC
> admin/admin at BFK.LOC
> host/filebase.bfk.loc at BFK.LOC
> host/kerb-client-new.fra.loc at BFK.LOC
> host/kerb-client.fra.loc at BFK.LOC
> host/kerb-server.fra.loc at BFK.LOC
> host/nils.bfk.loc at BFK.LOC
> kadmin/admin at BFK.LOC
> kadmin/changepw at BFK.LOC
> kadmin/filebase at BFK.LOC
> kadmin/history at BFK.LOC
> krbtgt/BFK.LOC at BFK.LOC
> nils/admin at BFK.LOC
> nils at BFK.LOC
> root/admin at BFK.LOC
> root at BFK.LOC
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list