krb5+Ubuntu (maverick, jaunty (LTS))+ssh

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5+Ubuntu (maverick, jaunty (LTS))+ssh

tps (Bugzilla)
Hi!

I have set up a kerberos server on ubuntu jaunty (10.04.1 LTS) this
server works as far as I can see.

loging into a maverick machine works too: I am handled a tgt. Now to
the problems:

I can log in from maverick to maverick machines. No problem.
kerberos does what it is expected to do.

I can't log in from any jaunty (10.04.1 LTS) machine to any other
machine using kerberos. I am handled a session key, but
authenticating against any of the jaunty-machines fails. ssh falls
back to password authentication.

The kerberos server on jaunty seems to work as expected, but the
client and GSSAPI seems badly broken.

Does anyone else have seen this? If yes, any solutions?

--
Thomas
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh

Brian Candler
On Fri, Nov 19, 2010 at 02:03:09PM +0100, Thomas Schweikle wrote:
> I can log in from maverick to maverick machines. No problem.
> kerberos does what it is expected to do.
>
> I can't log in from any jaunty (10.04.1 LTS) machine to any other
> machine using kerberos. I am handled a session key, but
> authenticating against any of the jaunty-machines fails. ssh falls
> back to password authentication.

Sorry to state the obvious, but have you set

Host *
...
    GSSAPIAuthentication yes

in /etc/ssh/ssh_config ?

What does ssh -v <host> show when you try to connect?

> The kerberos server on jaunty seems to work as expected, but the
> client and GSSAPI seems badly broken.

10.04.1 LTS isn't Jaunty, it's Lucid. "cat /etc/lsb-release" to see what you
have.

I have a Lucid client which can quite happily kinit to Active Directory, and
ssh to RedHat machines using its Kerberos ticket.

Regards,

Brian.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh

tps (Bugzilla)
In reply to this post by tps (Bugzilla)
Am 20.11.2010 09:58, schrieb Brian Candler:

> On Fri, Nov 19, 2010 at 02:03:09PM +0100, Thomas Schweikle wrote:
>> I can log in from maverick to maverick machines. No problem.
>> kerberos does what it is expected to do.
>>
>> I can't log in from any jaunty (10.04.1 LTS) machine to any other
>> machine using kerberos. I am handled a session key, but
>> authenticating against any of the jaunty-machines fails. ssh falls
>> back to password authentication.
>
> Sorry to state the obvious, but have you set
>
> Host *
> ...
>     GSSAPIAuthentication yes
>
> in /etc/ssh/ssh_config ?

I've set it and it was automatically set by installing the packages.

> What does ssh -v <host> show when you try to connect?

Something about no GSSAPI environment. I'll post the whole thing
Tomorrow --- I'll need access to the systems.

>> The kerberos server on jaunty seems to work as expected, but the
>> client and GSSAPI seems badly broken.
>
> 10.04.1 LTS isn't Jaunty, it's Lucid. "cat /etc/lsb-release" to see what you
> have.

Uhhhgg! Yes it's right. Mkixed up the names. My fault!

> I have a Lucid client which can quite happily kinit to Active Directory, and
> ssh to RedHat machines using its Kerberos ticket.

That's what is curious: kinit works on these machines! I'll get my
tgt, but connections do not work. Only 10.10 to 10.10 does what is
expected. 10.10 to 10.04.1 does not as 10.04.1 to 10.10 or 10.04.1.

--
Thomas
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh

Brian Candler
On Sat, Nov 20, 2010 at 10:45:31PM +0100, Thomas Schweikle wrote:
> Something about no GSSAPI environment. I'll post the whole thing
> Tomorrow --- I'll need access to the systems.

Another trick is to run another instance of sshd, on another port, in debug
mode: e.g.

    # sshd -p 99 -d

Then when you ssh -v -p 99 <user>@<hostname> you will also get debug output
from the server side.

You need 'GSSAPIAuthentication yes' in /etc/ssh/sshd_config at the server
side, but presumably you have that as some of the combinations do work.
(Not 'KerberosAuthentication yes' - that just does password authentication
with the KDC as the password oracle)

HTH,

Brian.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh

tps (Bugzilla)
In reply to this post by tps (Bugzilla)
Am 21.11.2010 19:46, schrieb Brian Candler:
> On Sat, Nov 20, 2010 at 10:45:31PM +0100, Thomas Schweikle wrote:
>> Something about no GSSAPI environment. I'll post the whole thing
>> Tomorrow --- I'll need access to the systems.
>
> Another trick is to run another instance of sshd, on another port, in debug
> mode: e.g.
>
>     # sshd -p 99 -d

>From ub0001 to kvm-test (10.04.1 to 10.04.1):
!debug1: Unspecified GSS failure.
!  Minor code may provide more information
!Key table entry not found

and on the client side:
!debug1: Authentications that can continue:
!  publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context

But:
!tu@kvm-test:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
!   1 host/kvm-test@LOCAL
!   1 host/kvm-test@LOCAL
!   1 host/kvm-test@LOCAL
!   1 host/kvm-test@LOCAL

and
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!---------------------------------------------------------------------
!   2 host/ub0001@LOCAL
!   2 host/ub0001@LOCAL
!   2 host/ub0001@LOCAL
!   2 host/ub0001@LOCAL

ssh asks for password :-(


Now from auth to kvm-test (10.10 to 10.04.1):
!debug1: Unspecified GSS failure.
!  Minor code may provide more information
!Key table entry not found

and on the client side:
!debug1: Authentications that can continue:
!  publickey,gssapi-keyex,gssapi-with-mic,password
!debug1: Next authentication method: gssapi-keyex
!debug1: No valid Key exchange context

But:
!root@kvm-test:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   1 host/kvm-test@LOCAL
!   1 host/kvm-test@LOCAL
!   1 host/kvm-test@LOCAL
!   1 host/kvm-test@LOCAL

and
!tu@auth:~$ klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   1 host/auth@LOCAL
!   1 host/auth@LOCAL
!   1 host/auth@LOCAL
!   1 host/auth@LOCAL


Now from ub0001 to auth (10.04.1 to 10.10):
No password prompt! logged in!

This with:
!ub0001:~% klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   2 host/ub0001@LOCAL
!   2 host/ub0001@LOCAL
!   2 host/ub0001@LOCAL
!   2 host/ub0001@LOCAL

and:
!root@auth:~# klist -k
!Keytab name: WRFILE:/etc/krb5.keytab
!KVNO Principal
!--------------------------------------------------------------------
!   1 host/auth@LOCAL
!   1 host/auth@LOCAL
!   1 host/auth@LOCAL
!   1 host/auth@LOCAL

Obvioulsy 10.10 to 10.10 works too.


> Then when you ssh -v -p 99 <user>@<hostname> you will also get debug output
> from the server side.
>
> You need 'GSSAPIAuthentication yes' in /etc/ssh/sshd_config at the server
> side, but presumably you have that as some of the combinations do work.
> (Not 'KerberosAuthentication yes' - that just does password authentication
> with the KDC as the password oracle)

AFAIC this is set. On all machines I have:
/etc/ssh/sshd_config:
!# GSSAPI options
!GSSAPIAuthentication yes
!GSSAPICleanupCredentials yes
!GSSAPIKeyExchange yes

/etc/ssh/ssh_config:
!Host *
!    SendEnv LANG LC_*
!    HashKnownHosts yes
!    GSSAPIAuthentication yes
!    GSSAPIDelegateCredentials yes
!    GSSAPIKeyExchange yes

--
Thomas
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh

Russ Allbery
Thomas Schweikle <[hidden email]> writes:

> From ub0001 to kvm-test (10.04.1 to 10.04.1):
> !debug1: Unspecified GSS failure.
> !  Minor code may provide more information
> !Key table entry not found

What does running host on the IP address of kvm-test return?  In other
words, what's the reverse DNS or reverse hosts lookup return?  If it's not
just "kvm-test," that's probably your problem.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5+Ubuntu (maverick, jaunty (LTS))+ssh

tps (Bugzilla)
Am 22.11.2010 22:42, schrieb Russ Allbery:

> Thomas Schweikle <[hidden email]> writes:
>
>> From ub0001 to kvm-test (10.04.1 to 10.04.1):
>> !debug1: Unspecified GSS failure.
>> !  Minor code may provide more information
>> !Key table entry not found
>
> What does running host on the IP address of kvm-test return?  In other
> words, what's the reverse DNS or reverse hosts lookup return?  If it's not
> just "kvm-test," that's probably your problem.

On a host it is not working:
!tu@ub0001:~% host bacula
!bacula.local has address 192.168.1.26
!tu@bacula:~% host 192.168.1.26
!26.1.168.192.in-addr.arpa domain name pointer bacula.local.

On this host ssh tu@ub0001 fails (Ubuntu 10.10 to 10.04.1).

On a host it is working:
!tu@auth:~$ host auth
!auth.local has address 192.168.1.25
!tu@auth:~$ host 192.168.1.25
!25.1.168.192.in-addr.arpa domain name pointer auth.local.

On this host ssh tu@auth succeeds (Ubuntu 10.10 to 10.10).

The host I was trying from does not have a DNS-Entry at all!

--
Thomas

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos