David Kreuter wrote:
Yesterday I installed the FreeIPA client on machine and after the
installation the login with password worked fine. After that I tried to
login with a valid Kerberos ticket and it failed. First i traced the ssh
login:

ssh -vvv da...@test.example.com
---cut---
debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80),
debug2: key: /home/david/.ssh/id_dsa ((nil)),
debug2: key: /home/david/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/david/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/david/.ssh/id_dsa
debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/david/.ssh/id_ecdsa
debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or
directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
---cut---

Then I enabled the log for SSH on the IPA client machine and faced
following error:

---cut---
Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david"
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to
"10.100.3.2"
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user
david service ssh-connection method gssapi-with-mic
Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0
Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure.
  Minor code may provide more information\nNo key table entry found
matching host/infra01@\n
---cut---

Unspecified GSS failure.  Minor code may provide more information.No key
table entry found matching host/infra01@\n.

After that I tried to receive a ticket on the IPA client machine and
everything worked fine:

kinit <user>
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: david@<realm>.INFO

Valid starting     Expires            Service principal
04/16/14 23:24:51  04/17/14 23:24:47  krbtgt/...
04/16/14 23:25:51  04/17/14 23:24:47  host/...

kvno -k /etc/krb5.keytab host/...
host/...: kvno = 1, keytab entry valid

So the Kerberos setup on the machine seems to be fine, but still the
login SSH using Keberos is not working. GSSAPI is correctly enabled in
the sshd configuration file. Any hint is highly appreciated. Thanks.


Seems like sshd looked for the wrong key. Run klist -kt /etc/krb5.keytab and see what principal is there. sshd didn't look for a FQDN according to your log.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to