[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssh + kerberosV

Matthijs Mohlmann wrote:

>>debug3: mm_request_receive_expect entering: type 38
>>debug3: mm_request_receive entering
>>Postponed gssapi for touche from 192.168.2.5 port 24831 ssh2
>>debug3: mm_request_send entering: type 39
>>debug3: monitor_read: checking request 39
>>debug1:  Miscellaneous failure (see text)
>>Decrypt integrity check failed
>>
>>debug1: Got no client credentials
> 
> 
> Got no client credentials ...
> 
> Do you have in /etc/ssh/ssh_config:
> KerberosAuthentication yes
> KerberosTGTPassing yes
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> 
> ssh doesn't forward credentials by default.
> 
no (they were not listed in default ssh_config so ...)

but this doesn't change much for sshd log.

ssh log contains:

debug1: Authentications that can continue: 
publickey,gssapi,password,keyboard-interactive
debug3: start over, passed a different list 
publickey,gssapi,password,keyboard-interactive
debug3: preferred gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi
debug1: Next authentication method: gssapi
debug2: we sent a gssapi packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: 
publickey,gssapi,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey

and when i check my ticket (same term than ssh)
$ klist -f
Credentials cache: FILE:/tmp/krb5cc_1000
         Principal: touche@VPN.WWW

   Issued           Expires        Flags    Principal
Nov 29 20:38:10  Nov 30 06:38:10  FI     krbtgt/VPN.WWW@VPN.WWW
Nov 29 20:38:27  Nov 30 06:38:10         host/etenemanki.vpn.www@VPN.WWW

in kdc.log (most probably the kinit and after ssh ?):

2003-11-29T20:37:18 sending 621 bytes to IPv4:192.168.2.5
2003-11-29T20:38:10 AS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
krbtgt/VPN.WWW@VPN.WWW
2003-11-29T20:38:10 Using des3-cbc-sha1/des3-cbc-sha1
2003-11-29T20:38:10 Requested flags: forwardable
2003-11-29T20:38:10 sending 560 bytes to IPv4:192.168.2.5
2003-11-29T20:38:27 TGS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
host/etenemanki.vpn.www@VPN.WWW
2003-11-29T20:38:27 sending 588 bytes to IPv4:192.168.2.5
2003-11-29T20:38:27 TGS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
krbtgt/VPN.WWW@VPN.WWW [forwarded, forwardable]
2003-11-29T20:38:27 sending 621 bytes to IPv4:192.168.2.5


Regards


		Julien