krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Traiano Welcome-3
Hi List

I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos client with our current kerberos infrastructure. I would like users to authenticate ssh logins to the system  using kerberos, and so I'm using the pam_krb5 pam module. However, Krb5 authentication fails with the following significant error when I attempt ssh to the server:

"krb5_get_init_creds_password: Decrypt integrity check failed"

I've carefully confirmed the host principal on my KDC and krberos master, and triple-checked the krb5.conf and krb5.keytab, and connectivity between the client and the KDC, as well as ntp time synchronisation between all the systems involved. My question is:  Is there some way I can debug  this to a deeper level in order to pinpoint exactly why "Decrypt integrity check failed" ... I've tried sniffing packets during the communications between the client and the master kdc, unfortunately, the contents are largely encrypted, so I can't find any further data. Also, I've searched for more detailed debugging options for pam_krb5, ut it doesn't look like any exist ... the krb5kdc.log doesn't seem to offer more detailed information either ...

The full pam_krb5 debug  trace is as follows:

---
Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (0x4)
Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as [hidden email]
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): authentication failure; logname=bobjones uid=0 euid=0 tty=ssh ruser= rhost=marvel.ops.evasive.org.za
Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure)
---

Many thanks in Advance,
Traiano Welcome
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Brian Candler
On Mon, Apr 11, 2011 at 10:59:16AM +0000, Traiano Welcome wrote:
> I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos
> client with our current kerberos infrastructure.  I would like users to
> authenticate ssh logins to the system using kerberos, and so I'm using the
> pam_krb5 pam module.

You don't need pam_krb5 to perform ssh authentication using kerberos.
(Indeed, I was under the impression that pam_krb5 did only *password*
authentication, checking the password against the KDC and getting a Kerberos
TGT as a side effect - but I could be wrong)

Anyway, if you want ssh to be authenticated using kerberos, just do the
following.

Client side: edit /etc/ssh/ssh_config, under Host * set

    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes       (*)

(Don't set "KerberosAuthentication yes"; this means regular password
authentication, but with the password checked against the KDC)

Server side: edit /etc/ssh/sshd_config, set

GSSAPIAuthentication yes
GSSAPIKeyExchange yes    (*)

plus all the usual Kerberos stuff:
- create a host key in the KDC
- extract the key to /etc/krb5.keytab
- forward and reverse DNS is correct
- realm to KDC mapping either in DNS or in /etc/krb5.conf
- domain to realm mapping either in DNS or in /etc/krb5.conf

HTH,

Brian.

(*) This is not strictly necessary for regular Kerberos authentication.
However the 'KeyExchange' variant of the protocol uses Kerberos for mutual
authentication; this eliminates the use of .ssh/known_hosts and the
prompting for unknown host keys.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Russ Allbery
In reply to this post by Traiano Welcome-3
Traiano Welcome <[hidden email]> writes:

> I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos
> client with our current kerberos infrastructure. I would like users to
> authenticate ssh logins to the system using kerberos, and so I'm using
> the pam_krb5 pam module. However, Krb5 authentication fails with the
> following significant error when I attempt ssh to the server:

> "krb5_get_init_creds_password: Decrypt integrity check failed"

Brian's reply is correct if you have a GSSAPI-enabled ssh client.  I also
wanted to add, though, that the above error message is Kerberos's way of
saying "password incorrect."

> I've carefully confirmed the host principal on my KDC and krberos
> master, and triple-checked the krb5.conf and krb5.keytab, and
> connectivity between the client and the KDC, as well as ntp time
> synchronisation between all the systems involved.

The problem isn't with your local keytab.  If it were a keytab problem, it
would be an error in verify_init_creds, not get_init_creds.  A failure at
get_init_creds indicates that the password didn't decrypt the reply from
the KDC.

> Also, I've searched for more detailed debugging options for pam_krb5, ut
> it doesn't look like any exist ...

You've got all the information that pam_krb5 has.  It did a password
authentication, and the key formed from the password didn't decrypt the
KDC reply.  There isn't much else it can tell you.

> the krb5kdc.log doesn't seem to offer more detailed information either

I think you should see a failed authentication error on the KDC side, but
it isn't likely to offer any more information.

Have you tried running kinit as that user (with the principal name exactly
the same as what's in the debug log) on the host you're trying to log on
to and confirmed that password does work?

> Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as [hidden email]
> Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Greg Hudson
On Mon, 2011-04-11 at 15:56 -0400, Russ Allbery wrote:
> You've got all the information that pam_krb5 has.  It did a password
> authentication, and the key formed from the password didn't decrypt the
> KDC reply.  There isn't much else it can tell you.

There is one thing pam_krb5 could do to help debug problems like this,
which is provide an option to turn on krb5 tracing if
krb5_set_trace_filename() is available (MIT krb5 1.9 or later).  Since
pam_krb5 creates a secure context, the KRB5_TRACE environment variable
doesn't operate.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Russ Allbery
Greg Hudson <[hidden email]> writes:

> There is one thing pam_krb5 could do to help debug problems like this,
> which is provide an option to turn on krb5 tracing if
> krb5_set_trace_filename() is available (MIT krb5 1.9 or later).  Since
> pam_krb5 creates a secure context, the KRB5_TRACE environment variable
> doesn't operate.

Thanks, added to my TODO list.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Traiano Welcome-3
In reply to this post by Russ Allbery

Thanks, Russ, and Brian.  (forgive top-posting, handicapped client :-P )

I'm now able to ssh as root to the system, after kinit, and it seems to accept my credentials. The only thing I changed was the permissions on the krb5.keytab file (from owner read/write only, to owner and group read). I issued a kdestroy, on the suspicion that cached credentials from previous keytabs may be the issue, but I doubt that's what resolved it.

Prior to getting this working, I was able to kinit on this system, and successfully obtain a  krb5 ticket from the master kdc after providing my kerberos password, which I found rather odd.
 


________________________________________
From: Russ Allbery [[hidden email]]
Sent: Monday, April 11, 2011 9:56 PM
To: Traiano Welcome
Cc: [hidden email]
Subject: Re: krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

Traiano Welcome <[hidden email]> writes:

> I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos
> client with our current kerberos infrastructure. I would like users to
> authenticate ssh logins to the system using kerberos, and so I'm using
> the pam_krb5 pam module. However, Krb5 authentication fails with the
> following significant error when I attempt ssh to the server:

> "krb5_get_init_creds_password: Decrypt integrity check failed"

Brian's reply is correct if you have a GSSAPI-enabled ssh client.  I also
wanted to add, though, that the above error message is Kerberos's way of
saying "password incorrect."

> I've carefully confirmed the host principal on my KDC and krberos
> master, and triple-checked the krb5.conf and krb5.keytab, and
> connectivity between the client and the KDC, as well as ntp time
> synchronisation between all the systems involved.

The problem isn't with your local keytab.  If it were a keytab problem, it
would be an error in verify_init_creds, not get_init_creds.  A failure at
get_init_creds indicates that the password didn't decrypt the reply from
the KDC.

> Also, I've searched for more detailed debugging options for pam_krb5, ut
> it doesn't look like any exist ...

You've got all the information that pam_krb5 has.  It did a password
authentication, and the key formed from the password didn't decrypt the
KDC reply.  There isn't much else it can tell you.

> the krb5kdc.log doesn't seem to offer more detailed information either

I think you should see a failed authentication error on the KDC side, but
it isn't likely to offer any more information.

Have you tried running kinit as that user (with the principal name exactly
the same as what's in the debug log) on the host you're trying to log on
to and confirmed that password does work?

> Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as [hidden email]
> Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos