[HCoop-Discuss] Kerberos & ssh not working

vegai vegai at mire.hcoop.net
Wed Jun 11 02:22:29 EDT 2008 

Hey,


I'm unable to login without password using kerberos as instructed
in the wiki. I'm probably doing something wrong, but I have no more
ideas what to try.

Here's the relevant output of what I tried:

---begin

[vegai at radio ~]$ kinit vegai at HCOOP.NET
vegai at HCOOP.NET's Password: 
[vegai at radio ~]$ kinit vegai at HCOOP.NET
vegai at HCOOP.NET's Password: 
[vegai at radio ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: vegai at HCOOP.NET
	
   Issued           Expires          Principal
Jun 11 09:00:52  Jun 11 19:00:51  krbtgt/HCOOP.NET at HCOOP.NET
[vegai at radio ~]$ ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' vegai at ssh.hcoop.net
Password: 
Password for vegai at HCOOP.NET: 
Password: 
Password for vegai at HCOOP.NET: 
Password: 
Permission denied (gssapi-keyex,gssapi-with-mic,keyboard-interactive).
[vegai at radio ~]$ ssh -vvv -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' vegai at ssh.hcoop.net
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to ssh.hcoop.net [69.90.123.68] port 22.
debug1: Connection established.
debug1: identity file /home/vegai/.ssh/identity type -1
debug1: identity file /home/vegai/.ssh/id_rsa type -1
debug1: identity file /home/vegai/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 527/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/vegai/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/vegai/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 4
debug1: Host 'ssh.hcoop.net' is known and matches the RSA host key.
debug1: Found key in /home/vegai/.ssh/known_hosts:3
debug2: bits set: 513/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/vegai/.ssh/identity ((nil))
debug2: key: /home/vegai/.ssh/id_rsa ((nil))
debug2: key: /home/vegai/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1:  Miscellaneous failure (see text)
unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10

debug1:  Miscellaneous failure (see text)
UNKNOWN_SERVER

debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password for vegai at HCOOP.NET: 
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password for vegai at HCOOP.NET: 
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password for vegai at HCOOP.NET: 
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic,keyboard-interactive).
[vegai at radio ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: vegai at HCOOP.NET
	
   Issued           Expires          Principal
Jun 11 09:00:52  Jun 11 19:00:51  krbtgt/HCOOP.NET at HCOOP.NET
	  
---end


Traceroute to kerberos.hcoop.net shows this as last line:

16  deleuze.hcoop.net (69.90.123.67)  142.057 ms  141.507 ms  141.618 ms


and dig -t SRV _kerberos._udp.hcoop.net contains:

;; ADDITIONAL SECTION:
kerberos1.hcoop.net.  172589	IN	A	69.90.123.67



/etc/krb5.conf is attached.


--vk

-------------- next part --------------
[libdefaults]
        default_realm = MY.REALM
	clockskew = 300
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	
[realms]
	MY.REALM = {
		kdc = MY.COMPUTER
	}
	OTHER.REALM = {
		v4_instance_convert = {
			kerberos = kerberos
			computer = computer.some.other.domain
		}
	}
[domain_realm]
	.my.domain = MY.REALM

More information about the HCoop-Discuss mailing list