Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem: passwordless SSH-login with Kerberos doesn't work

1,441 views
Skip to first unread message

Hans van Zijst

unread,
Jun 15, 2009, 4:03:55 AM6/15/09
to
Hi,

We, a team of 6, administer tens of Linux servers. The historic heritage
is that every team member has his own local account on every machine.
This is a nightmare of course, I don't have to elaborate on that :)
Recently we decided to use our Active Directory domain for the Linux
machines as well.

I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM
and got to the point where we all can login on to the SSH server using
our Active Directory credentials. At login time, a TGT is automatically
retrieved through PAM. From there, I thought, it should be easy to
automatically log into SSH without being asked for a password.

Obviously I was wrong... SSH keeps asking for a password, or exits with
"permission denied" if I set KerberosOrLocalPassword to "no" in the
server config. Help... :)

A message in the ssh client-log ("No valid Key exchange context") seems
to indicate a problem with a keytab. However, the keytabs seem to be
working just fine. I created these two principals in Active Directory:

host/server.sta...@STAFF.XXXXX.NL
host/client.sta...@STAFF.XXXXX.NL

and exported them in a keytab file, without Windows complaining about
anything. I copied them to /etc/krb5.keytab and if I check them with
ktutil, the correct principal is there. I read a lot about Kerberos
being very picky about the principal name being a hostname or FQDN, so I
connect using the FQDN and put the FQDN in /etc/hosts on both sides.

Can anyone please shed some light on this? I've Googled a lot, but
haven't found anything useful.

This is what I use. I installed 2 Debian Lenny machines, one as a
workstation (X, Gnome, the whole shebang), one as a server (no X, only
SSH really). Both are virtual machines, running in VirtualBox. They have
their own dedicated IP addresses, registered in DNS (forward and reverse
map) and the name and IP address of the AD server is in /etc/hosts.

This is the SSH debug log when I try to connect:

-----[ ssh client log ]-----
ssh -vvvK this...@server.staff.xxxxx.nl

OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22.
debug1: Connection established.
debug1: identity file /home/thisuser/.ssh/identity type -1
debug1: identity file /home/thisuser/.ssh/id_rsa type -1
debug1: identity file /home/thisuser/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zl...@openssh.com,zlib
debug2: kex_parse_kexinit: none,zl...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zl...@openssh.com
debug2: kex_parse_kexinit: none,zl...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA
host key.
debug1: Found key in /home/thisuser/.ssh/known_hosts:3
debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/thisuser/.ssh/identity ((nil))
debug2: key: /home/thisuser/.ssh/id_rsa ((nil))
debug2: key: /home/thisuser/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/thisuser/.ssh/identity
debug3: no such identity: /home/thisuser/.ssh/identity
debug1: Trying private key: /home/thisuser/.ssh/id_rsa
debug3: no such identity: /home/thisuser/.ssh/id_rsa
debug1: Trying private key: /home/thisuser/.ssh/id_dsa
debug3: no such identity: /home/thisuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
----- -----

And here's the log (at DEBUG level) of the SSH server:

-----[ ssh server log ]-----
debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
debug1: Forked child 2475.
debug1: inetd sockets after dupping: 3, 3
Connection from 10.115.193.8 port 35195
debug1: Client protocol version 2.0; client software version
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug1: PAM: initializing for "thisuser"
debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for thisuser from 10.115.193.8 port 35195 ssh2
debug1: Unspecified GSS failure. Minor code may provide more
information\nNo principal in keytab matches desired name\n
debug1: do_cleanup
debug1: PAM: cleanup
----- -----


This is my SSH config:

-----[ /etc/ssh/sshd_config ]-----
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
----- -----


I configured /etc/krb5.conf as follows:

-----[ /etc/krb5.conf ]-----
[logging]
default = FILE:/var/log/krb5-lib.log
kdc = FILE:/var/log/krb5-kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = STAFF.XXXXX.NL
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
STAFF.XXXXX.NL = {
kdc = zbdc01
admin_server = zbdc01
}

[domain_realm]
.staff.xxxxx.nl = STAFF.XXXXX.NL
staff.xxxxx.nl = STAFF.XXXXX.NL

[login]
krb4_convert = false
krb4_get_tickets = false

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
----- -----

Kind regards,

Hans van Zijst

miguel....@arcelormittal.com

unread,
Jun 15, 2009, 2:43:48 PM6/15/09
to ha...@woefdram.nl, kerb...@mit.edu
Hans

Are you attempting Kerberos based password authentication or single sign on?
Could also give the sshd trace (-ddd)?


Met vriendelijke groet
Best regards
Bien � vous

Miguel SANDERS
ArcelorMittal Gent

UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel....@arcelormittal.com
www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: kerberos...@mit.edu [mailto:kerberos...@mit.edu] Namens Hans van Zijst
Verzonden: maandag 15 juni 2009 10:04
Aan: kerb...@mit.edu
Onderwerp: Problem: passwordless SSH-login with Kerberos doesn't work

Hi,

host/server.sta...@STAFF.XXXXX.NL
host/client.sta...@STAFF.XXXXX.NL

gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay
gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei
gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx
gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==


debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+

gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay
gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA
gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei
gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ
gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx
gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==,diffie-hellman-group-exchange-sha256,
gss-gex-sha1-toWM5Slw5Ew8Mqkay+diffie-hellman-group-exchange-sha1,diffie
gss-gex-sha1-toWM5Slw5Ew8Mqkay+-hellman-group14-sha1,diffie-hellman-grou
gss-gex-sha1-toWM5Slw5Ew8Mqkay+p1-sha1

Kind regards,

Hans van Zijst
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

****
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights.
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited.
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient.
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.
****


Simo Sorce

unread,
Jun 15, 2009, 6:41:30 PM6/15/09
to kerb...@mit.edu
On Mon, 2009-06-15 at 10:03 +0200, Hans van Zijst wrote:
> And here's the log (at DEBUG level) of the SSH server:
>
> -----[ ssh server log ]-----
> debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
> debug1: Forked child 2475.
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.115.193.8 port 35195
> debug1: Client protocol version 2.0; client software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug1: PAM: initializing for "thisuser"
> debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
> debug1: PAM: setting PAM_TTY to "ssh"
> Failed none for thisuser from 10.115.193.8 port 35195 ssh2
> debug1: Unspecified GSS failure. Minor code may provide more
> information\nNo principal in keytab matches desired name\n
> debug1: do_cleanup
> debug1: PAM: cleanup

Clearly the ssh server does not agree about what is the right name.

The hostname of the machine must the same name you set in the keytab.

That's what sshd uses (probably through gethostname()) to determine what
principal name to search for in the keytab.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

Nicolas Williams

unread,
Jun 15, 2009, 6:49:16 PM6/15/09
to Simo Sorce, kerb...@mit.edu
On Mon, Jun 15, 2009 at 06:41:30PM -0400, Simo Sorce wrote:
> > debug1: Unspecified GSS failure. Minor code may provide more
> > information\nNo principal in keytab matches desired name\n
>
> Clearly the ssh server does not agree about what is the right name.
>
> The hostname of the machine must the same name you set in the keytab.
>
> That's what sshd uses (probably through gethostname()) to determine what
> principal name to search for in the keytab.

Using GSS_C_NO_CREDENTIAL (or a credential for GSS_C_NO_NAME) for the
acceptor credential has its advantages.

Simon Wilkinson

unread,
Jun 15, 2009, 7:19:48 PM6/15/09
to Simo Sorce, kerb...@mit.edu
>
> That's what sshd uses (probably through gethostname()) to determine
> what
> principal name to search for in the keytab.

My GSSAPI KeyExchange patches (at http://www.sxw.org.uk/computing/patches/openssh.html)
add support for a 'GSSAPIStrictAcceptorCheck' option, which can be
used to permit the use of any principal within the keytab. Debian,
like many other distributors, ship with that patch as standard.

Cheers,

Simon.

Hans van Zijst

unread,
Jun 16, 2009, 4:37:03 AM6/16/09
to miguel....@arcelormittal.com
Hi Miguel,

Ultimately, I want to have single signon. I can do Kerberos password
authentication now and that's already a huge step forward, but single
signon is what I want.

This is the sshd-trace of the server. I checked klist on my client and
saw I only had the TGT. Then I attempted the ssh connection and checked
again, this time I also had a ticket for the server. Looks like the
keytab is ok then, doesn't it?

Here's the trace:


debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 772
debug2: parse_server_config: config /etc/ssh/sshd_config len 772
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:21 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:23 setting LogLevel DEBUG
debug3: /etc/ssh/sshd_config:26 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:27 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:28 setting StrictModes yes
debug3: /etc/ssh/sshd_config:30 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:35 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:37 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:39 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:44 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:48 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:52 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:57 setting KerberosAuthentication yes
debug3: /etc/ssh/sshd_config:60 setting KerberosOrLocalPasswd no
debug3: /etc/ssh/sshd_config:61 setting KerberosTicketCleanup yes
debug3: /etc/ssh/sshd_config:64 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:65 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:67 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:68 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:69 setting PrintMotd no
debug3: /etc/ssh/sshd_config:70 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:71 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:78 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:80 setting Subsystem sftp
/usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug1: sshd version OpenSSH_5.1p1 Debian-5
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'


debug2: fd 3 setting O_NONBLOCK

debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
socket: Address family not supported by protocol
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 772
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7


debug1: inetd sockets after dupping: 3, 3

Connection from 10.115.193.8 port 50535


debug1: Client protocol version 2.0; client software version
OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5

debug2: fd 3 setting O_NONBLOCK

debug3: privsep user:group 104:65534
debug1: permanently_set_uid: 104/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss


debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:

diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zl...@openssh.com
debug2: kex_parse_kexinit: none,zl...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1


debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,uma...@openssh.com,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zl...@openssh.com,zlib
debug2: kex_parse_kexinit: none,zl...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug2: Network child is on pid 2204
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 513/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 490/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0xb8d2c768(271)
debug3: mm_request_send entering: type 6
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent


debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS

debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering


debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done
debug1: userauth-request for user thisuser service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 10.115.193.8.
debug2: parse_server_config: config reprocess config len 772
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: input_userauth_request: setting up authctxt for thisuser
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 48
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48


debug1: PAM: initializing for "thisuser

debug1: userauth-request for user thisuser service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 38
debug3: mm_request_receive_expect entering: type 39
debug3: mm_request_receive entering


debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
debug1: PAM: setting PAM_TTY to "ssh"

debug2: monitor_read: 48 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 38


debug1: Unspecified GSS failure. Minor code may provide more information

No principal in keytab matches desired name

debug3: mm_request_send entering: type 39
debug1: userauth-request for user thisuser service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_receive entering
debug1: userauth-request for user thisuser service ssh-connection method
gssapi-with-mic
debug1: attempt 3 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
Connection closed by 10.115.193.8
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering


debug1: do_cleanup
debug1: PAM: cleanup

debug3: PAM: sshpam_thread_cleanup entering


Kind regards,

Hans van Zijst

Hans van Zijst

unread,
Jun 16, 2009, 8:55:03 AM6/16/09
to
Hi,

Problem solved! Thanks to Miguel for giving me some hints.

As usual, the problem was minor. It proved that the encryption method I
used to create the keytab was wrong. Google served me several articles
that stated I would have to use single DES. After a long struggle, I
tried the Windows standard: arcfour. That did the trick. That'll teach
me to follow articles just like that... :)

Several articles urged me to use a useraccount instead of a computer
account. I tried both and didn't notice any difference after everything
was in place. The only difference I noticed was while exporting the
keytab: you can map the principal to a user by simply providing the
username. When using a computer account, you have to supply ktpass with
the full path to the computer object.

This is how I exported the keytab:

ktpass -princ host/server.sta...@STAFF.XXXXX.NL -mapuser
staff.xxxxx.nl/Werkstations/Networkoperations/Systems/server +rndPass
-ptype KRB5_NT_SRV_HST -out server.keytab

Then I copied this keytab to /etc/krb5.keytab on the server and
everything worked.

Kind regards,

Hans van Zijst

0 new messages