Re: kerberos authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Try to put FQDN in your /etc/hosts on both machines. Did you create principals for both hosts too?

Here is a documentation i wrote some time ago:
http://redflo.de/tiki-index.php?page_ref_id=35
For the ssh-part:
http://redflo.de/tiki-index.php?page=Kerberizing%20sshd


Julius schrieb:
On Thu, 2008-11-27 at 23:08 +0000, Nigel J. Taylor wrote:
If your are using Kerberos, then you need PasswordAuthentication yes in the
sshd_config also.

If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config
and ssh_config. That is if your using ssh wf and don't expect a prompt for a
password. The following is using GSSAPI (First a failure as no ticket).

$ ssh me@rhea
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
$ kinit me
me@xxxxxxxxx's Password:
$ ssh me@rhea
Last login: Thu Nov 27 22:42:21 2008 from pandora.xxx.me.uk
OpenBSD 4.4-stable (GENERIC) #3: Tue Nov 11 00:54:23 GMT 2008

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

$ egrep "Authen" /etc/ssh/sshd_config
# Authentication:
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
$ ^D
Connection to rhea closed.
$ hostname
pandora.xxx.me.uk

Regards

Nigel Taylor




client:
kinit kerberos-test

[kerberos-test@night_crawler ~]$ kdestroy
[kerberos-test@night_crawler ~]$ kinit kerberos-test
kerberos-test@xxxxxxxxxxxxxx's Password: [kerberos-test@night_crawler ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1013
        Principal: kerberos-test@xxxxxxxxxxxxxx

  Issued           Expires          Principal
Nov 28 19:32:28  Nov 29 05:32:31  krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx

[kerberos-test@night_crawler ~]$ ssh wf
Permission denied (publickey,gssapi-with-mic).


[kerberos-test@night_crawler ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1013
        Principal: kerberos-test@xxxxxxxxxxxxxx

  Issued           Expires          Principal
Nov 28 19:32:28  Nov 29 05:32:31  krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
Nov 28 19:34:42  Nov 29 05:32:31  host/wf.localdomain.de@xxxxxxxxxxxxxx



grep "Authen" /etc/ssh/ssh_config # RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
GSSAPIAuthentication yes







server:
egrep "Authen" /etc/ssh/sshd_config

#RSAAuthentication yes
#PubkeyAuthentication yes
#RhostsRSAAuthentication no
#HostbasedAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes









/usr/sbin/sshd -ed
.
.
.
Connection from MYCLIENTIP port 36001
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 99/99
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user kerberos-test service ssh-connection
method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "kerberos-test"
debug1: PAM: setting PAM_RHOST to "night_crawler.localdomain.de"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user kerberos-test service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 0
debug1:  No credentials were supplied, or the credentials were
unavailable or inaccessible.
unknown mech-code 0 for mech 1 2 840 113554 1 2 2

Connection closed by MYCLIENTIP
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup




btw, hostname returns only the first part of the fqdn on both of my
systems.



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux