Re: kerberos authentication

[Florian Gleixner <flo@xxxxxxxxx>]

Try to put FQDN in your /etc/hosts on both machines. Did you create 
principals for both hosts too?

Here is a documentation i wrote some time ago:
http://redflo.de/tiki-index.php?page_ref_id=35
For the ssh-part:
http://redflo.de/tiki-index.php?page=Kerberizing%20sshd


Julius schrieb:
> On Thu, 2008-11-27 at 23:08 +0000, Nigel J. Taylor wrote:
> > If your are using Kerberos, then you need PasswordAuthentication yes in the
> > sshd_config also.
> >
> > If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config
> > and ssh_config. That is if your using ssh wf and don't expect a prompt for a
> > password. The following is using GSSAPI (First a failure as no ticket).
> >
> > $ ssh me@rhea
> > Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
> > $ kinit me
> > me@xxxxxxxxx's Password:
> > $ ssh me@rhea
> > Last login: Thu Nov 27 22:42:21 2008 from pandora.xxx.me.uk
> > OpenBSD 4.4-stable (GENERIC) #3: Tue Nov 11 00:54:23 GMT 2008
> >
> > Welcome to OpenBSD: The proactively secure Unix-like operating system.
> >
> > Please use the sendbug(1) utility to report bugs in the system.
> > Before reporting a bug, please try to reproduce it with the latest
> > version of the code.  With bug reports, please try to ensure that
> > enough information to reproduce the problem is enclosed, and if a
> > known fix for it exists, include that as well.
> >
> > $ egrep "Authen" /etc/ssh/sshd_config
> > # Authentication:
> > PasswordAuthentication no
> > KerberosAuthentication no
> > GSSAPIAuthentication yes
> > $ ^D
> > Connection to rhea closed.
> > $ hostname
> > pandora.xxx.me.uk
> >
> > Regards
> >
> > Nigel Taylor
>
>
>
> client:
> kinit kerberos-test
>
> [kerberos-test@night_crawler ~]$ kdestroy
> [kerberos-test@night_crawler ~]$ kinit kerberos-test
> kerberos-test@xxxxxxxxxxxxxx's Password: 
> [kerberos-test@night_crawler ~]$ klist
> Credentials cache: FILE:/tmp/krb5cc_1013
>         Principal: kerberos-test@xxxxxxxxxxxxxx
>
>   Issued           Expires          Principal
> Nov 28 19:32:28  Nov 29 05:32:31  krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
>
> [kerberos-test@night_crawler ~]$ ssh wf
> Permission denied (publickey,gssapi-with-mic).
>
>
> [kerberos-test@night_crawler ~]$ klist
> Credentials cache: FILE:/tmp/krb5cc_1013
>         Principal: kerberos-test@xxxxxxxxxxxxxx
>
>   Issued           Expires          Principal
> Nov 28 19:32:28  Nov 29 05:32:31  krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
> Nov 28 19:34:42  Nov 29 05:32:31  host/wf.localdomain.de@xxxxxxxxxxxxxx
>
>
>
> grep "Authen" /etc/ssh/ssh_config 
> #   RhostsRSAAuthentication no
> #   RSAAuthentication yes
> #   PasswordAuthentication yes
> #   HostbasedAuthentication no
> GSSAPIAuthentication yes
>
>
>
>
>
>
>
> server:
> egrep "Authen" /etc/ssh/sshd_config
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #RhostsRSAAuthentication no
> #HostbasedAuthentication no
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication yes
>
>
>
>
>
>
>
>
>
> /usr/sbin/sshd -ed
> .
> .
> .
> Connection from MYCLIENTIP port 36001
> debug1: Client protocol version 2.0; client software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1
> debug1: permanently_set_uid: 99/99
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user kerberos-test service ssh-connection
> method none
> debug1: attempt 0 failures 0
> debug1: PAM: initializing for "kerberos-test"
> debug1: PAM: setting PAM_RHOST to "night_crawler.localdomain.de"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user kerberos-test service ssh-connection
> method gssapi-with-mic
> debug1: attempt 1 failures 0
> debug1:  No credentials were supplied, or the credentials were
> unavailable or inaccessible.
> unknown mech-code 0 for mech 1 2 840 113554 1 2 2
>
> Connection closed by MYCLIENTIP
> debug1: do_cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
>
>
>
>
> btw, hostname returns only the first part of the fqdn on both of my
> systems.