kerberos configuration to provide SSH authentication

To: debian-user@lists.debian.org
Subject: kerberos configuration to provide SSH authentication
From: philippe robert <philippe.c.robert@gmail.com>
Date: Tue, 15 May 2012 16:01:03 +0200
Message-id: <[🔎] CAAVW+jgorcw06OZnGB80_9B1usxMJGVGKo-k8oOiTMxwgW5jrw@mail.gmail.com>

Dear Debian-users;

This is my first mail on this mailing-list, let me know if you would like some more details about my issue.
I am trying to provide ssh authentication through kerberos (heimdal instanciation). I have got 3 servers, kerberos, kssh and kuser.

On kerberos I have created a principal user

On kssh I have created a principal service

root@kssh:~# kadmin -p philippe
philippe@LOCALNET.LAN's Password:
kadmin> add --random-key --use-defaults host/kssh.localnet.lan
kadmin> ext_keytab host/kssh.localnet.lan

on kuser I get a ticket and try the authentication:

philippe@kuser:~$ kinit
philippe@LOCALNET.LAN's Password:
philippe@kuser:~$ klist
Credentials cache: FILE:/tmp/krb5cc_2002
        Principal: philippe@LOCALNET.LAN

Issued           Expires          Principal
May 15 15:34:13 May 16 01:34:13 krbtgt/LOCALNET.LAN@LOCALNET.LAN
philippe@kuser:~$ ssh -vv -K kssh
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
...

Apparently the gssapi method is not tested, I don't see any error/reason why on these traces.
I have no log on ssh server side, and on kerberos I only have trace showing that connection attempt has been performed.
The lack of log on ssh-server side makes me think to a client failure, I've run strace to have more information, but the only suspicious clue

stat64("/usr/etc/gss/mech", 0xbfa330cc) = -1 ENOENT (No such file or directory)

does not help much (ssh client continue working and parsing kerberos configuration files after this, and apt-file search mech does not help neither).

Finally, even if the authentication fails (Permission denied (publickey,gssapi-keyex,gssapi-with-mic).) running klist on ssh-client side show an other ticket created just after the ssh-connection attempt!

philippe@kuser:~$ klist
Credentials cache: FILE:/tmp/krb5cc_2002
        Principal: philippe@GOELAND.LAN

Issued           Expires          Principal
May 15 15:55:12 May 16 01:55:12 krbtgt/GOELAND.LAN@GOELAND.LAN
May 15 15:56:38 May 16 01:55:12 host/kservices.goeland.lan@GOELAND.LAN
philippe@kuser:~$

has anyone ever tried to implement this authentication? And can anyone help me to figure out where i've missed up things?

Many thanks!

P

Reply to:

Prev by Date: Re: wheezy Audio Works for Root, Dies for User and it's not Perms.
Next by Date: Re: printer driver Samsung SCX4623f
Previous by thread: Re: aptitude safe-upgrade stops with a timeout.
Next by thread: Debian Squeeze ext4 corruption under VMware
Index(es):
- Date
- Thread