ssh login via Windows AD / Kerberos

fantasygoat · 03-24-2011, 03:27 PM

Following the instructions listed here:

http://blog.scottlowe.org/2006/08/08...-r2-revisited/

I have a machine set up to use Kerberos authentication for logins. The problem is, logins are now incredibly slow and any user from the AD fails to log in.

Here's the output from the server in debug mode:

Quote:

debug1: sshd version OpenSSH_4.3p2
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='666'
debug1: Bind to port 666 on ::.
Server listening on :: port 666.
debug1: Bind to port 666 on 0.0.0.0.
Bind to port 666 on 0.0.0.0 failed: Address already in use.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.0.77 port 49555
debug1: Client protocol version 2.0; client software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user jeremy.wilson service ssh-connection method none
debug1: attempt 0 failures 0

It then hangs for awhile before continuing:

Quote:

debug1: PAM: initializing for "jeremy.wilson"
debug1: userauth-request for user jeremy.wilson service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: PAM: setting PAM_RHOST to "192.168.0.77"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 10000/10 (e=0/0)

Then it just disconnects after a long timeout.

What I want to do is use a Windows AD with the UNIX extensions to control user logins on CentOS 5.5 servers. Previously I've used OpenLDAP and AD, but that was still two separate auth methods and I just want one.

kbp · 03-24-2011, 07:27 PM

Are you using LDAP for naming services ? ... try 'getent passwd' and see if the AD users are listed

<edit> Just realised .. your link points to an old version of Scott's instructions, did you try the new version ? .. there are differences </edit>

fantasygoat · 03-25-2011, 09:29 AM

Okay, I tried following those instructions and now it just hangs at the getent command. I'm assuming it's a credential issue but there's nothing in the logs to indicate the problem.

fantasygoat · 03-25-2011, 09:48 AM

Okay, I've cleared up the credential issue, but now getent is hanging *after* returning the valid AD account.

Here's the system-auth file:

Quote:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so
auth required pam_deny.so

account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_krb5.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_deny.so

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unx.so

kbp · 03-25-2011, 07:15 PM

I've put together a script that's taken from my current kickstart, give it a try and let me know if you still have problems

cheers

fantasygoat · 03-25-2011, 09:54 PM

That's perfect, thanks!