LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-11-2010, 08:44 AM   #1
ibaniski
LQ Newbie
 
Registered: Nov 2008
Posts: 10

Rep: Reputation: 0
Lightbulb SSH w/ Kerberos


Hello all,

I am trying to setup Kerberos and (for now) use it as a mechanism for using SSH.

In my setup i have 3 boxes: client, server, kerberos; where client is where the SSH client will be used, server where I will try to log on to, and kerberos is the kerberos server.

The kerbeors server has the following (releavnt) principals: ibaniski (me), host/client, and host/server.

I have the appropriate keytabs on both client and server (I can use kinit -k host/client(or /server) and get the TGT. Similarly, I can do kinit to obtain a TGT for my user, ibaniski.


SO, when I try to `ssh server` after having obtained the TGT by `kinit` I get the following error message:
Permission denied (gssapi-keyex,gssapi-with-mic).


Could anyone please provide some feedback as to why this is happening and how I can fix it? In the process of running `ssh server` I actually end up getting the service ticket from kerberos; klist shows both.

My /etc/ssh/sshd_config on the server has the following:
PHP Code:
RSAAuthentication no
PubkeyAuthentication no

PasswordAuthentication no

KerberosAuthentication yes
KerberosGetAFSToken no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM no 
and my /etc/ssh/ssh_config on the client has:
PHP Code:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes 

Here are some logs/outputs that might be of some use:
ssh -v server
PHP Code:
ssh -v server
debug1
Reading configuration data /etc/ssh/ssh_config
debug1
Applying options for *
debug1Connecting to server [192.168.1.101port 22.
debug1
Connection established.
debug1identity file /home/ibaniski/.ssh/identity type -1
debug1
identity file /home/ibaniski/.ssh/id_rsa type -1
debug1
identity file /home/ibaniski/.ssh/id_dsa type -1
debug1
Remote protocol version 2.0remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1
matchOpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1Enabling compatibility mode for protocol 2.0
debug1
Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
debug1
SSH2_MSG_KEXINIT sent
debug1
SSH2_MSG_KEXINIT received
debug1
kexserver->client aes128-ctr hmac-md5 none
debug1
kexclient->server aes128-ctr hmac-md5 none
debug1
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192sent
debug1
expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1
SSH2_MSG_KEX_DH_GEX_INIT sent
debug1
expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1
Host 'server' is known and matches the RSA host key.
debug1Found key in /home/ibaniski/.ssh/known_hosts:1
debug1
ssh_rsa_verifysignature correct
debug1
SSH2_MSG_NEWKEYS sent
debug1
expecting SSH2_MSG_NEWKEYS
debug1
SSH2_MSG_NEWKEYS received
debug1
SSH2_MSG_SERVICE_REQUEST sent
debug1
SSH2_MSG_SERVICE_ACCEPT received
debug1
Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug1
Next authentication methodgssapi-keyex
debug1
No valid Key exchange context
debug1
Next authentication methodgssapi-with-mic
debug1
Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug1
Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug1
Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug1
No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic). 
and the log at the server
PHP Code:
sshd[1570]: Invalid user ibaniski from 192.168.1.102 
Any help would be greatly appreciated.

Regards,
ibaniski
 
  


Reply

Tags
kerberos, ssh, sshd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH vs. IPSEC and Kerberos cccc Linux - Security 3 01-04-2010 11:40 AM
ssh + kerberos... less secure? genmaicha Linux - Security 3 11-25-2009 12:16 PM
Kerberos and SSH ceph Linux - Server 0 08-03-2009 11:28 AM
Kerberos and SSH l0rddarkf0rce Linux - Server 0 10-26-2008 04:50 PM
SSH and Kerberos l0rddarkf0rce Ubuntu 0 10-26-2008 02:30 AM


All times are GMT -5. The time now is 01:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration