ssh does not authenticate against kerberos
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Expired
|
Low
|
Unassigned |
Bug Description
sshd is set up to authenticate using GSSAPI, but this never succeeds, falling back to any other configured authentication method. If all are forbidden, authentication fails without giving a useful reason.
On a local(!) system assume:
user test exists, krb5 is running fine, PAM is set up to use krb5. After loging in:
% ssh -l test 192.168.1.111
$ klist
Ticket cache: FILE:/tmp/
Default principal: <email address hidden>
Valid starting Expires Service principal
11/15/10 10:22:38 11/15/10 20:22:38 <email address hidden>
renew until 11/16/10 10:22:35
Now that I have a ticket, I'd awaited to be automaticaly authenticated to log on on the very same server using ssh
$ ssh 192.168.1.111
test@192.
I am asked the password! Bad. Same with "-v":
$ ssh -v 192.168.1.111
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.111 [192.168.1.111] port 22.
debug1: Connection established.
debug1: identity file /home/test/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/test/
debug1: identity file /home/test/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/test/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: Host '192.168.1.111' is known and matches the RSA host key.
debug1: Found key in /home/test/
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_
debug1: SSH2_MSG_
debug1: Authentications that can continue: publickey,
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
debug1: Next authentication method: publickey
debug1: Offering public key: /home/test/
debug1: Authentications that can continue: publickey,
debug1: Offering public key: /home/test/
debug1: Authentications that can continue: publickey,
debug1: Next authentication method: password
test@192.
Easy too see: GSSAPI is tried, but fails.
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: openssh-server 1:5.5p1-4ubuntu4
ProcVersionSign
Uname: Linux 2.6.35-22-server x86_64
Architecture: amd64
Date: Mon Nov 15 10:13:10 2010
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: openssh
According to the log file:
keyex,gssapi- with-mic, password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Is there a principal created for 192.168.1.111?
I don't think that using IP addresses is the best option for kerberos.