Linux - Server This forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
#1
LQ Newbie
Registered: Aug 2011
Posts: 21
Rep:
SSH connection using Kerberos
Hello!
I'm trying to configure SSH connections using Kerberos.
I can see that in SSH server /var/log/messages
Code:
an 7 15:26:43 testvis sshd[5065]: Invalid user test from 10.50.10.122
Jan 7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error resolving user name 'test' to uid/gid pair
Jan 7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error getting information about 'test'
Jan 7 15:27:47 testvis sshd[5069]: gkr-pam: error looking up user information for: test
Jan 7 15:28:28 testvis sshd[5069]: pam_unix2(sshd:auth): conversation failed
Jan 7 15:28:28 testvis sshd[5069]: error: ssh_msg_send: write
Masz nową pocztę w /var/mail/root
I can kinit
test user and klist test user ticket, so there is no connection problem i think.
In SSH server config file (/etc/ssh/sshd_config) I have extra options:
Code:
PasswordAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanCredentials yes
AllowTcpForwarding
UsePAM yes
X11Forwarding yes
/etc/pam.d/common-auth
Code:
auth sufficient pam_krb5.so use_first_pass forwardable
/etc/pam.d/common-session
Code:
session sufficient pam_krb5.so
I am using OpenSUSE 11.4 and mit Kerberos.
What can be wrong?
Thank you in advance for help!
#2
Senior Member
Registered: Aug 2009
Posts: 3,790
Does 'getent passwd' show kerberos accounts?
1 members found this post helpful.
#3
LQ Newbie
Registered: Aug 2011
Posts: 21
Original Poster
Rep:
Quote:
Originally Posted by
kbp
Does 'getent passwd' show kerberos accounts?
In SSH server?
No, there is no test user.
Do I need to add test user (useradd) in SSH server?
Isn't it created when reading user from Kerberos?
#4
LQ Newbie
Registered: Aug 2011
Posts: 21
Original Poster
Rep:
I added user in SSH server:
and still cant login via SSH.
getent passwd shows:
Code:
# getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:105:106:User for Avahi:/var/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:104:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
lxdm:x:107:109:LXDE Display Manager daemon:/var/lib/lxdm:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:101:103:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:106:107:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rtkit:x:103:105:RealtimeKit:/proc:/bin/false
sshd:x:100:101:SSH daemon:/var/lib/sshd:/bin/false
statd:x:102:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
kamil:x:1000:100:kamil:/home/kamil:/bin/bash
test:x:1001:100::/home/test:/bin/bash
That is output from SSH:
Code:
# ssh -vvv test@testvis.testit.pl
OpenSSH_5.8p1, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to testvis.testit.pl [10.50.10.199] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "testvis.testit.pl" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 2a:99:6d:a5:4c:d5:56:9c:1c:e3:cd:6b:a7:b5:f1:97
debug3: load_hostkeys: loading entries for host "testvis.testit.pl" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "10.50.10.199" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'testvis.testit.pl' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xb780d5c8)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by 10.50.10.199
when SSH is connecting, in /var/log/messages
Code:
Jan 8 23:33:34 testvis sshd[6420]: Authorized to test, krb5 principal test@TESTIT.PL (krb5_kuserok)
In SSH client I have initiated Kerberos user (and also host appears when try to connect to SSH server):
Code:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@TESTIT.PL
Valid starting Expires Service principal
01/08/12 23:32:08 01/09/12 23:32:07 krbtgt/TESTIT.PL@TESTIT.PL
01/08/12 23:32:54 01/09/12 23:32:07 host/testvis.testit.pl@TESTIT.PL
What else can I check?
#5
Senior Member
Registered: Aug 2009
Posts: 3,790
If no kerberos users were shown then you may need to configure /etc/nsswitch.conf ... it usually simpler to use the systems built in tools to configure kerberos rather than do it manually.
#6
LQ Newbie
Registered: Aug 2011
Posts: 21
Original Poster
Rep:
But why do I have to edit nsswitch? What to change?
Last edited by rysic; 01-08-2012 at 05:00 PM .
#7
Senior Member
Registered: Aug 2009
Posts: 3,790
Quote:
Jan 7 15:27:47 testvis sshd[5069]: pam_krb5[5069]: error resolving user name 'test' to uid/gid pair
.. this seems to indicate that kerberos users cannot be resolved, remove the local 'test' user you created and try using yast to configure kerberos.
#8
LQ Newbie
Registered: Aug 2011
Posts: 21
Original Poster
Rep:
I tried to configure Kerberos client via Yast. There are the same settings...
Last edited by rysic; 01-08-2012 at 06:07 PM .
#9
LQ Newbie
Registered: Aug 2011
Posts: 21
Original Poster
Rep:
I'm sorry in SSH server, when I add user, there is different line in /var/log/messages:
Code:
Authorized to test, krb5 principal test@TESTIT.PL (krb5_kuserok)
So why connecion is closed? :/
#10
LQ Newbie
Registered: Aug 2011
Posts: 21
Original Poster
Rep:
Vert, vert, vert strange!!!
I commented in /etc/pam.d/common-session
Code:
session required pam_krb5.so
and in /etc/pam.d/common-account
Code:
account require pam_krb5.so use_first_pass
And it is working! I'm so happy! I'm fighting many days with this!
Thank you for help!
All times are GMT -5. The time now is 11:36 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
SSH connection using Kerberos
