[29236] in Kerberos
single sign on woes
daemon@ATHENA.MIT.EDU (john smith)
Tue Feb 12 14:19:42 2008
Message-ID: <3a1324ab0802120035j282badd8ued0f9aeac36d2f17@mail.gmail.com>
Date: Tue, 12 Feb 2008 03:35:01 -0500
From: "john smith" <jsmithk08@gmail.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
hello folks,
i have gone through the mail archive for suggestions but i can't seem to
make headway. i am not sure what i am missing. am i supposed to export
contents of krb5.keytab and copy them to the client systems? i can't even
log on to the kerb server. the ssh session just drops to the console.
would appreciate some help on this.
thank you,
john
system: etch 32
-----------------
id will
uid=4301(will) gid=4301(will) groups=4301(will)
--------------------------
pam
grep krb5 /etc/pam.d/common-*
/etc/pam.d/common-account: account required pam_krb5.so minimum_uid=1000
forwardable
/etc/pam.d/common-auth:auth sufficient pam_krb5.so minimum_uid=1000
forwardable
/etc/pam.d/common-password:password sufficient pam_krb5.so
minimum_uid=1000 forwardable
/etc/pam.d/common-session:session optional pam_krb5.so minimum_uid=1000
forwardable
---------------
/etc/ssh/sshd_config
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
-----
/etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
-------------
/etc/krb5.conf
[libdefaults]
default_realm = FOO.BAR.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
FOO.BAR.COM = {
kdc = foo.bar.com
admin_server = foo.bar.com
}
[domain_realm]
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
}
--------
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
FOO.BAR.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth, +forwardable
kadmind_port = 749
}
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log
------------------------------------------
kadmin.local listprinc
K/M@FOO.BAR.COM
testuser@FOO.BAR.COM
host/test1.bar.com@FOO.BAR.COM
host/test2.bar.com@FOO.BAR.COM
host/test3.bar.com@FOO.BAR.COM
host/test4.bar.com@FOO.BAR.COM
kadmin/admin@FOO.BAR.COM
kadmin/changepw@FOO.BAR.COM
kadmin/history@FOO.BAR.COM
kadmin/foo.bar.com@FOO.BAR.COM
krbtgt/FOO.BAR.COM@FOO.BAR.COM
will/admin@FOO.BAR.COM
i have run ktadd -k /etc/krb5.keytab <hostname> for all the test clients on
the kerbserver foo.bar.com
i can run kinit will/admin on any of the client systems.
--------------------------------
test2:~# ssh will@test1 (fails
test2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: will/admin@FOO.BAR.COM
Valid starting Expires Service principal
02/12/08 08:05:45 02/12/08 18:05:45 krbtgt/FOO.BAR.COM@FOO.BAR.COM
renew until 02/13/08 08:05:42
02/12/08 08:05:53 02/12/08 18:05:45 host/test1.bar.com@FOO.BAR.COM
renew until 02/13/08 08:05:42
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
test2:~#
--------------------
from /var/log/krb5kdc.log on the kerbserver foo.
Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes {rep=16 tkt=16
ses=16}, will/admin@foo.bar.com for host/test3.bar.com@foo.bar.com
-------------------------------
ssh -v -v -v -o PreferredAuthentications=gssapi-with-mic will@foo
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to foo [w.x.y.z] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2
Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 526/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 4
debug1: Host 'foo' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug2: bits set: 506/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-keyex
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
root@testserver
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
