LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-07-2012, 07:54 AM   #1
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Rep: Reputation: Disabled
Question SSH connection using Kerberos


Hello!

I'm trying to configure SSH connections using Kerberos.
I can see that in SSH server /var/log/messages
Code:
an  7 15:26:43 testvis sshd[5065]: Invalid user test from 10.50.10.122
Jan  7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error resolving user name 'test' to uid/gid pair
Jan  7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error getting information about 'test'
Jan  7 15:27:47 testvis sshd[5069]: gkr-pam: error looking up user information for: test
Jan  7 15:28:28 testvis sshd[5069]: pam_unix2(sshd:auth): conversation failed
Jan  7 15:28:28 testvis sshd[5069]: error: ssh_msg_send: write

Masz nową pocztę w /var/mail/root
I can kinit test user and klist test user ticket, so there is no connection problem i think.

In SSH server config file (/etc/ssh/sshd_config) I have extra options:
Code:
PasswordAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanCredentials yes
AllowTcpForwarding
UsePAM yes
X11Forwarding yes
/etc/pam.d/common-auth
Code:
auth sufficient pam_krb5.so use_first_pass forwardable
/etc/pam.d/common-session
Code:
session sufficient pam_krb5.so
I am using OpenSUSE 11.4 and mit Kerberos.

What can be wrong?

Thank you in advance for help!
 
Old 01-08-2012, 07:38 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Does 'getent passwd' show kerberos accounts?
 
1 members found this post helpful.
Old 01-08-2012, 10:32 AM   #3
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
Does 'getent passwd' show kerberos accounts?
In SSH server?
No, there is no test user.

Do I need to add test user (useradd) in SSH server?
Isn't it created when reading user from Kerberos?
 
Old 01-08-2012, 03:38 PM   #4
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Original Poster
Rep: Reputation: Disabled
I added user in SSH server:
Code:
useradd test
and still cant login via SSH.

getent passwd shows:
Code:
# getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:105:106:User for Avahi:/var/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:104:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
lxdm:x:107:109:LXDE Display Manager daemon:/var/lib/lxdm:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:101:103:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:106:107:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rtkit:x:103:105:RealtimeKit:/proc:/bin/false
sshd:x:100:101:SSH daemon:/var/lib/sshd:/bin/false
statd:x:102:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
kamil:x:1000:100:kamil:/home/kamil:/bin/bash
test:x:1001:100::/home/test:/bin/bash
That is output from SSH:
Code:
# ssh -vvv test@testvis.testit.pl
OpenSSH_5.8p1, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to testvis.testit.pl [10.50.10.199] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "testvis.testit.pl" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 2a:99:6d:a5:4c:d5:56:9c:1c:e3:cd:6b:a7:b5:f1:97
debug3: load_hostkeys: loading entries for host "testvis.testit.pl" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "10.50.10.199" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'testvis.testit.pl' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xb780d5c8)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by 10.50.10.199
when SSH is connecting, in /var/log/messages
Code:
Jan  8 23:33:34 testvis sshd[6420]: Authorized to test, krb5 principal test@TESTIT.PL (krb5_kuserok)
In SSH client I have initiated Kerberos user (and also host appears when try to connect to SSH server):
Code:
# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@TESTIT.PL

Valid starting     Expires            Service principal
01/08/12 23:32:08  01/09/12 23:32:07  krbtgt/TESTIT.PL@TESTIT.PL
01/08/12 23:32:54  01/09/12 23:32:07  host/testvis.testit.pl@TESTIT.PL
What else can I check?
 
Old 01-08-2012, 04:31 PM   #5
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
If no kerberos users were shown then you may need to configure /etc/nsswitch.conf ... it usually simpler to use the systems built in tools to configure kerberos rather than do it manually.
 
Old 01-08-2012, 04:55 PM   #6
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Original Poster
Rep: Reputation: Disabled
But why do I have to edit nsswitch? What to change?
It is connected to Kerberos somehow?

Kerberos configuration looks OK i thing. User can kinit. Host has it key. Problem is with SSH connection. But I don't know about any SSH built in configurators.

Last edited by rysic; 01-08-2012 at 05:00 PM.
 
Old 01-08-2012, 05:37 PM   #7
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Quote:
Jan 7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error resolving user name 'test' to uid/gid pair
Jan 7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error getting information about 'test'
.. this seems to indicate that kerberos users cannot be resolved, remove the local 'test' user you created and try using yast to configure kerberos.
 
Old 01-08-2012, 06:05 PM   #8
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Original Poster
Rep: Reputation: Disabled
I tried to configure Kerberos client via Yast. There are the same settings...
There is no difference if I configure Kerberos client via Yast or files.

Last edited by rysic; 01-08-2012 at 06:07 PM.
 
Old 01-08-2012, 06:10 PM   #9
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Original Poster
Rep: Reputation: Disabled
I'm sorry in SSH server, when I add user, there is different line in /var/log/messages:
Code:
Authorized to test, krb5 principal test@TESTIT.PL (krb5_kuserok)
So why connecion is closed? :/
 
Old 01-08-2012, 06:33 PM   #10
rysic
LQ Newbie
 
Registered: Aug 2011
Posts: 21

Original Poster
Rep: Reputation: Disabled
Vert, vert, vert strange!!!
I commented in /etc/pam.d/common-session
Code:
session    required    pam_krb5.so
and in /etc/pam.d/common-account
Code:
account    require    pam_krb5.so    use_first_pass
And it is working! I'm so happy! I'm fighting many days with this!
Thank you for help!
 
  


Reply

Tags
kerberos


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh and kerberos error: Server not found in Kerberos database Felipe Linux - Server 1 01-17-2011 03:12 AM
SSH w/ Kerberos ibaniski Linux - Security 0 11-11-2010 08:44 AM
Kerberos and SSH ceph Linux - Server 0 08-03-2009 11:28 AM
Kerberos and SSH l0rddarkf0rce Linux - Server 0 10-26-2008 04:50 PM
SSH and Kerberos l0rddarkf0rce Ubuntu 0 10-26-2008 02:30 AM


All times are GMT -5. The time now is 07:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration