kerberos configuration to provide SSH authentication
Dear Debian-users;
This is my first mail on this mailing-list, let me know if you would like some more details about my issue.
I am trying to provide ssh authentication through kerberos (heimdal instanciation). I have got 3 servers, kerberos, kssh and kuser.
On kerberos I have created a principal user
On kssh I have created a principal service
root@kssh:~# kadmin -p philippe
philippe@LOCALNET.LAN's Password:
kadmin> add --random-key --use-defaults host/kssh.localnet.lan
kadmin> ext_keytab host/kssh.localnet.lan
on kuser I get a ticket and try the authentication:
philippe@kuser:~$ kinit
philippe@LOCALNET.LAN's Password:
philippe@kuser:~$ klist
Credentials cache: FILE:/tmp/krb5cc_2002
Principal: philippe@LOCALNET.LAN
Issued Expires Principal
May 15 15:34:13 May 16 01:34:13 krbtgt/LOCALNET.LAN@LOCALNET.LAN
philippe@kuser:~$ ssh -vv -K kssh
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
...
Apparently the gssapi method is not tested, I don't see any error/reason why on these traces.
I have no log on ssh server side, and on kerberos I only have trace showing that connection attempt has been performed.
The lack of log on ssh-server side makes me think to a client failure, I've run strace to have more information, but the only suspicious clue
stat64("/usr/etc/gss/mech", 0xbfa330cc) = -1 ENOENT (No such file or directory)
does not help much (ssh client continue working and parsing kerberos configuration files after this, and apt-file search mech does not help neither).
Finally, even if the authentication fails (Permission denied (publickey,gssapi-keyex,gssapi-with-mic).) running klist on ssh-client side show an other ticket created just after the ssh-connection attempt!
philippe@kuser:~$ klist
Credentials cache: FILE:/tmp/krb5cc_2002
Principal: philippe@GOELAND.LAN
Issued Expires Principal
May 15 15:55:12 May 16 01:55:12 krbtgt/GOELAND.LAN@GOELAND.LAN
May 15 15:56:38 May 16 01:55:12 host/kservices.goeland.lan@GOELAND.LAN
philippe@kuser:~$
has anyone ever tried to implement this authentication? And can anyone help me to figure out where i've missed up things?
Many thanks!
P
Reply to: