Hi List,
I'm having problems getting OpenSSH GSS-API authentication to work against
AD 2008. Here's the error I'm seeing in the SSH server logs.
---snip---
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug1: userauth-request for
user user1 service ssh-connection method gssapi-with-mic
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug1: attempt 1 failures 1
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug2: input_userauth_request:
try method gssapi-with-mic
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3: mm_request_send
entering: type 38
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: monitor_read: checking
request 38
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: mm_request_send
entering: type 39
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: mm_request_receive
entering
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3:
mm_request_receive_expect entering: type 39
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3: mm_request_receive
entering
Feb 18 11:04:16 test-ssh-server sshd[16842]: Postponed gssapi-with-mic for
user1 from a.b.c.d port 56886 ssh2
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3: mm_request_send
entering: type 40
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: monitor_read: checking
request 40
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug1: Unspecified GSS
failure. Minor code may provide more information\nKey table entry not
found\n
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug1: Got no client
credentials
---snip---
I'm getting a TGT and a host ticket OK from the AD KDC according to klist
(see below). The problem appears to be when my SSH client passes the host
ticket to the SSH server. I have local user1 accounts on both systems.
---snip---
$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1025
Default principal: user1@TEST-REALM.EXAMPLE.COM
Valid starting Expires Service principal
02/18/09 10:01:01 02/18/09 20:01:06
krbtgt/TEST-REALM.EXAMPLE.COM@TEST-REALM.EXAMPLE.COM
renew until 02/19/09 10:01:01, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/18/09 10:01:21 02/18/09 20:01:06
host/test-ssh-server.example.com@TEST-REALM.EXAMPLE.COM
renew until 02/19/09 10:01:01, Flags: FRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
---snip---
SSH client:
Red Hat Enterprise Linux ES release 4 (Nahant Update 7)
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
---config---
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
ForwardX11Trusted yes
---config---
SSH server:
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
---config---
Protocol 2
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
LogLevel DEBUG3
PermitRootLogin without-password
ChallengeResponseAuthentication no
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
X11Forwarding yes
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 3
Banner /etc/ssh/ssh_banner
Subsystem sftp /usr/libexec/openssh/sftp-server
---config---
I'm adding the SSH server account on the AD side as follows:
---snip---
C:\Users\user1>ktpass -princ
host/test-ssh-server.example.com@TEST-REALM.EXAMPLE.COM -mapuser
test-ssh-server +rndPass -crypto DES-CBC-MD5 -out test-ssh-server.keytab
-ptype KRB5_NT_PRINCIPAL
Targeting domain controller: ad-test-01
Using legacy password setting method
Successfully mapped host/test-ssh-server.example.com to test-ssh-server.
Key created.
Output keytab to test-ssh-server.keytab:
Keytab version: 0x502
keysize 66 host/test-ssh-server.example.com@TEST-REALM.EXAMPLE.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 2 etype 0x3 (DES-CBC-MD5) keylength 8
(0x519bdae957df8a8a)
---snip---
As far as I can see, my DNS records and /etc/hosts entries are correct and
the KVNO = 2 on both sides. I imported the keytab using ktutil and the
import and reading the keytab back works fine.
Has anyone come across this before?
Thanks,
Paul
I'm having problems getting OpenSSH GSS-API authentication to work against
AD 2008. Here's the error I'm seeing in the SSH server logs.
---snip---
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug1: userauth-request for
user user1 service ssh-connection method gssapi-with-mic
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug1: attempt 1 failures 1
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug2: input_userauth_request:
try method gssapi-with-mic
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3: mm_request_send
entering: type 38
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: monitor_read: checking
request 38
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: mm_request_send
entering: type 39
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: mm_request_receive
entering
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3:
mm_request_receive_expect entering: type 39
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3: mm_request_receive
entering
Feb 18 11:04:16 test-ssh-server sshd[16842]: Postponed gssapi-with-mic for
user1 from a.b.c.d port 56886 ssh2
Feb 18 11:04:16 test-ssh-server sshd[16842]: debug3: mm_request_send
entering: type 40
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug3: monitor_read: checking
request 40
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug1: Unspecified GSS
failure. Minor code may provide more information\nKey table entry not
found\n
Feb 18 11:04:16 test-ssh-server sshd[16841]: debug1: Got no client
credentials
---snip---
I'm getting a TGT and a host ticket OK from the AD KDC according to klist
(see below). The problem appears to be when my SSH client passes the host
ticket to the SSH server. I have local user1 accounts on both systems.
---snip---
$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1025
Default principal: user1@TEST-REALM.EXAMPLE.COM
Valid starting Expires Service principal
02/18/09 10:01:01 02/18/09 20:01:06
krbtgt/TEST-REALM.EXAMPLE.COM@TEST-REALM.EXAMPLE.COM
renew until 02/19/09 10:01:01, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/18/09 10:01:21 02/18/09 20:01:06
host/test-ssh-server.example.com@TEST-REALM.EXAMPLE.COM
renew until 02/19/09 10:01:01, Flags: FRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
---snip---
SSH client:
Red Hat Enterprise Linux ES release 4 (Nahant Update 7)
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
---config---
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
ForwardX11Trusted yes
---config---
SSH server:
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
---config---
Protocol 2
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
LogLevel DEBUG3
PermitRootLogin without-password
ChallengeResponseAuthentication no
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
X11Forwarding yes
PrintMotd no
PrintLastLog no
ClientAliveInterval 300
ClientAliveCountMax 3
Banner /etc/ssh/ssh_banner
Subsystem sftp /usr/libexec/openssh/sftp-server
---config---
I'm adding the SSH server account on the AD side as follows:
---snip---
C:\Users\user1>ktpass -princ
host/test-ssh-server.example.com@TEST-REALM.EXAMPLE.COM -mapuser
test-ssh-server +rndPass -crypto DES-CBC-MD5 -out test-ssh-server.keytab
-ptype KRB5_NT_PRINCIPAL
Targeting domain controller: ad-test-01
Using legacy password setting method
Successfully mapped host/test-ssh-server.example.com to test-ssh-server.
Key created.
Output keytab to test-ssh-server.keytab:
Keytab version: 0x502
keysize 66 host/test-ssh-server.example.com@TEST-REALM.EXAMPLE.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 2 etype 0x3 (DES-CBC-MD5) keylength 8
(0x519bdae957df8a8a)
---snip---
As far as I can see, my DNS records and /etc/hosts entries are correct and
the KVNO = 2 on both sides. I imported the keytab using ktutil and the
import and reading the keytab back works fine.
Has anyone come across this before?
Thanks,
Paul