I am encountering the following problem: I am trying to connect from a client VM to a server VM using SSH with Kerberos authentication, but SSH still asking me for password. Obviously, I modified the /etc/ssh/sshd_config
file, on server side, to enable: GSSAPIAuthentication yes
and GSSAPICleanupCredentials yes
. On the client machine I did the same in the /etc/ssh/ssh_config
file.
About Kerberos: I added a principal, using kadmin.local, called host/[email protected]
where "server" is the hostname of the server machine and SERVER.COM is the name of the realm. Once creating that principal for SSH service, I used the ktadd -k command
to add the keytab file (to be clear, SSH server and Kerberos server are on the same machine) located at /etc/krb5.keytab
. The output of sudo klist -ke /etc/krb5.keytab
is
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/[email protected] (aes256-cts-hmac-sha1-96)
1 host/[email protected] (aes128-cts-hmac-sha1-96)
1 host/[email protected] (aes256-cts-hmac-sha1-96)
1 host/[email protected] (aes128-cts-hmac-sha1-96)
1 host/[email protected] (aes256-cts-hmac-sha1-96)
1 host/[email protected] (aes128-cts-hmac-sha1-96)
1 [email protected] (aes256-cts-hmac-sha1-96)
1 [email protected] (aes128-cts-hmac-sha1-96)
1 host/[email protected] (aes256-cts-hmac-sha1-96)
1 host/[email protected] (aes128-cts-hmac-sha1-96)
So, the creation of keytab was OK. Well, on the server machine I also added a user named michele (even listed in the list above and added as a principal obviously) and the same was created on the client machine. I typed the ssh command in debug mode sudo /usr/sbin/sshd -p 9001 -D -dd
on both client and server and I get the following:
1)For server side:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 370
debug2: parse_server_config: config /etc/ssh/sshd_config len 370
debug1: sshd version OpenSSH_7.5, OpenSSL 1.0.2g 1 Mar 2016
debug1: private host key #0: ssh-rsa SHA256:Uu0sgKAMRqoKGBxZ+pLywmfCH8Fby+3p/rgJ5TSn45w
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:ycCOVyRMzFst+8uwleIs1VtvhsoN+3GZE/Tjj7i/MlA
debug1: private host key #2: ssh-ed25519 SHA256:I1PpnUol1xHFKTiM+yTGN0C3h6PSjgo34VjkFtUH6Uk
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='9001'
debug1: rexec_argv[3]='-D'
debug1: rexec_argv[4]='-dd'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 9001 on 0.0.0.0.
Server listening on 0.0.0.0 port 9001.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 9001 on ::.
Server listening on :: port 9001.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.56.5 port 60904 on 192.168.56.4 port 9001
debug1: Client protocol version 2.0; client software version OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: match: OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: Enabling compatibility mode for protocol 2.0
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 4541
debug1: permanently_set_uid: 122/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,[email protected] [preauth]
debug2: compression stoc: none,[email protected] [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,[email protected],zlib [preauth]
debug2: compression stoc: none,[email protected],zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug2: monitor_read: 6 used once, disabling now
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user michele service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug2: parse_server_config: config reprocess config len 370
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for michele [preauth]
debug1: PAM: initializing for "michele"
debug1: PAM: setting PAM_RHOST to "192.168.56.5"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug2: monitor_read: 4 used once, disabling now
debug2: input_userauth_request: try method none [preauth]
debug1: userauth-request for user michele service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug1: PAM: password authentication accepted for michele
debug1: do_pam_account: called
Accepted password for michele from 192.168.56.5 port 60904 ssh2
debug1: monitor_child_preauth: michele has been authenticated by privileged process
debug1: monitor_read_log: child log fd closed
debug1: temporarily_use_uid: 1004/1004 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: PAM: establishing credentials
User child is on pid 4618
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1004/1004
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: ssh_packet_set_postauth: called
debug1: Entering interactive session for SSH2.
debug2: fd 6 setting O_NONBLOCK
debug2: fd 8 setting O_NONBLOCK
debug1: server_init_dispatch
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email protected] want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug2: session_new: allocate (allocated 0 max 10)
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug2: Setting env 0: LANG=it_IT.UTF-8
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Starting session: shell on pts/1 for michele from 192.168.56.5 port 60904 id 0
debug2: fd 3 setting TCP_NODELAY
debug1: Setting controlling tty using TIOCSCTTY.
debug2: channel 0: rfd 11 isatty
debug2: fd 11 setting O_NONBLOCK
and for client side:
~$ ssh -p 9001 -vv [email protected]
OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "192.168.56.4" port 9001
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.56.4 [192.168.56.4] port 9001.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: match: OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.56.4:9001 as 'michele'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ycCOVyRMzFst+8uwleIs1VtvhsoN+3GZE/Tjj7i/MlA
debug1: checking without port identifier
debug1: Host '192.168.56.4' is known and matches the ECDSA host key.
debug1: Found key in /home/michele/.ssh/known_hosts:1
debug1: found matching key w/out port
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied
debug2: key: /home/michele/.ssh/id_rsa ((nil))
debug2: key: /home/michele/.ssh/id_dsa ((nil))
debug2: key: /home/michele/.ssh/id_ecdsa ((nil))
debug2: key: /home/michele/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1002)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1002)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /home/michele/.ssh/id_rsa
debug1: Trying private key: /home/michele/.ssh/id_dsa
debug1: Trying private key: /home/michele/.ssh/id_ecdsa
debug1: Trying private key: /home/michele/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]'s password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 192.168.56.4 ([192.168.56.4]:9001).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = it_IT.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 17.10 (GNU/Linux 4.13.0-39-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 pacchetti possono essere aggiornati.
0 sono aggiornamenti di sicurezza.
Failed to connect to http://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
Last login: Sat May 5 12:45:11 2018 from 192.168.56.5
Environment:
LANG=it_IT.UTF-8
USER=michele
LOGNAME=michele
HOME=/home/michele
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
MAIL=/var/mail/michele
SHELL=/bin/bash
SSH_CLIENT=192.168.56.5 60904 9001
SSH_CONNECTION=192.168.56.5 60904 192.168.56.4 9001
SSH_TTY=/dev/pts/1
TERM=xterm-256color
XDG_SESSION_ID=39
XDG_RUNTIME_DIR=/run/user/1004
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1004/bus
From the client side, it seems there is a GSSAPI failure about the credentials. I would like to ssh in my server withouth typing the password. Can you help me, please? Thansk!
The error message indicates that you do not have a valid TGT ("Ticket Granting Ticket") for the user you are trying to connect with. You need to run "kinit" first. This will try to get a TGT from the kerberos server and place it in the ticket cache (
/tmp/krb5cc_1002
in your case).You should not do this using sudo, as it will create the ticket cache with the wrong permissions. If you did it with sudo you should remove the ticket cache with the wrong permissions (
sudo rm /tmp/krb5cc_1002
) and try runningkinit
again as normal user.Something not directly related to this issue but worth mentioning: You do not need to add users to
/etc/krb5.keytab
, like you seem to have tried according to yourklist -ke
output. This file is for host/service authentication only. Users need only be added to the kerberos server (KDC).