On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> 
> > Yes it is, but I need to see also what you get on the successfull ssh
> > case, klist is all I need to see, no other output.
> > 
> > Also does it work all the time if you use the command
> > 
> > ssh -K dean@desktop2 ?

you did not try the above ^^ :-)


> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter....@hunter.org
> 
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
> 
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_1440800001)
> 
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter....@hunter.org
> 09/12/13 11:15:29  09/13/13 11:14:40
> host/desktop2.hunter....@hunter.org
> 
> [dean@ipa2 ~]$ su -
> Password: 
> 
> [root@ipa2 ~]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> 
> [root@ipa2 ~]# ssh dean@desktop2
> dean@desktop2's password: 
> Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org

> [dean@desktop2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktrhI7WX
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:17:40  09/13/13 11:17:39  krbtgt/hunter....@hunter.org
> 09/12/13 11:17:40  09/13/13 11:17:39  nfs/ipa2.hunter....@hunter.org
> 
> [dean@desktop2 ~]$ logout
> Connection to desktop2 closed.
> 
> [root@ipa2 ~]# logout
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter....@hunter.org
> 09/12/13 11:15:29  09/13/13 11:14:40
> host/desktop2.hunter....@hunter.org
> 
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org
> 
> [dean@desktop2 ~]$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_1440800001)
> 
> [dean@desktop2 ~]$ logout
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter....@hunter.org
> 09/12/13 11:15:29  09/13/13 11:14:40
> host/desktop2.hunter....@hunter.org
> 
> reboot ....
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktLOSJxT
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:23:56  09/13/13 11:23:56  krbtgt/hunter....@hunter.org
> 
> [dean@ipa2 ~]$ ssh -k dean@desktop2
> Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
> 
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_1440800001)
> 
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktLOSJxT
> Default principal: d...@hunter.org
> 
> Valid starting     Expires            Service principal
> 09/12/13 11:23:56  09/13/13 11:23:56  krbtgt/hunter....@hunter.org
> 09/12/13 11:24:43  09/13/13 11:23:56
> host/desktop2.hunter....@hunter.org
> 


However here is the exact explanation of what is going on.

The first time you ssh in you are not using password authentication but
SSO (GSSAPI auth) *however* you are not delegating credentials to
desktop2 (-K option).

What this means is that ssh can allow you in because you have a valid
ticket, but once you alnd of the cmahine there are no credentials
avaliable there locally so the NFS client has no way to authenticate you
to the NFS server.

Later on when you do the su - and the ssh you are doing password
authentication instead. *that* is the key difference, the fact that you
do su - is a red herring and only causes you to not have credentials to
use and makes ssh fall back to password authentication.

you can obtain the same effect calling kdestroy instead of su - or
telling ssh to not use GSSAPI for auth.

Anyway when you authenticate with a password you give the target system
your password which it will use to obtain a ticket for you and it places
the ticket in the DIR:/run/user/... directory.

There the NFS client can find it and uses it to authenticate your user
to the NFS Server, so you can access the home directory no problem.

The second time you do a straight ssh with GSSAPI auth (no password
requested) it works because the cache generated with the previous
attempt hasn't been removed, so the NFS client still finds it.

Finally it starts failing again after reboot because /run/user it a
tmpfs and gets wiped at reboot.


Bottom line: if you need credentials on the target system (and you need
them because you are using kerberized NFS for homes) you either use ssh
-K dead@desktop2 so that you forward credentials each time, or you force
your client to use password authentication so the target system can
fetch credentials on its own/


HTH, Simo.



-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to