Unable to SSH with Kerberos user

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to SSH with Kerberos user

Rocky Hotas
Hello!
I am trying to set up a Kerberos server and a client for the first time,
both using Xubuntu 18.04. I created a normal user `joe' and I am able
to successfully do, from the client:

$ kinit joe
Password for [hidden email]:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [hidden email]

Valid starting       Expires              Service principal
25/01/2020 16:10:42  26/01/2020 02:10:42  krbtgt/[hidden email]
        renew until 26/01/2020 16:10:28

Despite the client and server being in the same LAN, when I enter the
password a long wait of several seconds occurs, before the prompt is back
again. I would now like to ssh into the Kerberos server from the client,
as `joe', without being prompted again for a password:

$ ssh joe@<server_FQDN>

However, the password is asked here, despite the TGT shown above, and
even with the correct password the permission is denied.

What could be wrong with this configuration? Also, I still did not
understand the role of the keytab in this operation. Is it necessary?

Note that my user (in the Xubuntu system of the client) has not the name
`joe', as shown in the logs below: `joe' only belongs to Kerberos.

Log of ssh with `-vvv' option: https://pastebin.com/DSueXmf0
Client /etc/ssh/ssh_config: https://pastebin.com/14FWX5ye
Client /etc/krb5.conf: https://pastebin.com/Vpqs0VxT
Server /etc/krb5.conf: https://pastebin.com/1wnB6vum
Server /etc/ssh/sshd_config: https://pastebin.com/WwdyQvF0

Guide followed for setup: https://www.linuxtoday.com/blog/integrating-ldap-and-kerberos-part-one-kerberos.html
(at random times, the link is unavailable; use Google cache page if
needed)

Thank you for having read,

Rocky

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Unable to SSH with Kerberos user

Rocky Hotas
Sent: Saturday, January 25, 2020 at 5:51 PM
From: "Patrick Marc Preuß" <[hidden email]>
To: "Rocky Hotas" <[hidden email]>
Subject: Re: Unable to SSH with Kerberos user

> Hi rocky
 
Hi :)!

> Have a look into the ssh somewhere around line 115:

> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server host/[hidden email] not found in Kerberos database
 
> gssapi is selected but not ticket grated due to missing service principal for the server.

Thanks for your patience in looking the logs.
Maybe you meant "granted". Ok! I executed in server `kadmin.local' and:

kadmin.local:  addprinc -randkey host/xubtest.xexample.intk
WARNING: no policy specified for host/[hidden email]; defaulting to no policy
Principal "host/[hidden email]" created.
kadmin.local:  addprinc -randkey host/xubcl1.xexample.intk
WARNING: no policy specified for host/[hidden email]; defaulting to no policy
Principal "host/[hidden email]" created.

Hope this is correct. Then, I tried again with ssh, and this is the
result: https://pastebin.com/vDX0Gt67

The error you mentioned is disappeared, but the behaviour is apparently
the same (password required and permission denied even with the correct
password).

> HTH

Yes, of course! Those principals must be created.
 
Thanks,

Rocky


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Unable to SSH with Kerberos user

Patrick Marc Preuß
Hi Rocky

Now check the server side logs. Seams there is an issue eighter with the user on the server, or the Kerberos setup on this side.

User needs to be resolveable via „getent passwd“ and server side keytab needs to be aware of the Right services and sshd needs to know the keytab.

HTH





----

Patrick

> On Jan 25, 2020, at 9:24 AM, Rocky Hotas <[hidden email]> wrote:
>
> Sent: Saturday, January 25, 2020 at 5:51 PM
> From: "Patrick Marc Preuß" <[hidden email]>
> To: "Rocky Hotas" <[hidden email]>
> Subject: Re: Unable to SSH with Kerberos user
>
>> Hi rocky
>
> Hi :)!
>
>> Have a look into the ssh somewhere around line 115:
>
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Server host/[hidden email] not found in Kerberos database
>
>> gssapi is selected but not ticket grated due to missing service principal for the server.
>
> Thanks for your patience in looking the logs.
> Maybe you meant "granted". Ok! I executed in server `kadmin.local' and:
>
> kadmin.local:  addprinc -randkey host/xubtest.xexample.intk
> WARNING: no policy specified for host/[hidden email]; defaulting to no policy
> Principal "host/[hidden email]" created.
> kadmin.local:  addprinc -randkey host/xubcl1.xexample.intk
> WARNING: no policy specified for host/[hidden email]; defaulting to no policy
> Principal "host/[hidden email]" created.
>
> Hope this is correct. Then, I tried again with ssh, and this is the
> result: https://pastebin.com/vDX0Gt67
>
> The error you mentioned is disappeared, but the behaviour is apparently
> the same (password required and permission denied even with the correct
> password).
>
>> HTH
>
> Yes, of course! Those principals must be created.
>
> Thanks,
>
> Rocky
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos