Shawn M Emery wrote: > Trygve Laugst?l wrote: >> Hi >> >> I'm playing around with Kerberos and *think* everything is properly >> setup up. I'm running a KDC on Debian unstable (which is MIT KDC >> 1.6.something) which seems to work just fine. I can get a TGT. I'm >> also running a DNS on my LAN which is resolving all domain names to >> full domains etc. >> >> I can ssh to the Debian server just fine, but I'm unable to ssh to >> another Solaris machine. The Solaris boxes are running b90. >> >> This is the output when connecting to the Debian machine: >> >> ================================================================================ >> >> >> -bash-3.2# ssh -v trygvis at kyle >> Sun_SSH_1.2, SSH protocols 1.5/2.0, OpenSSL 0x0090801f >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: Rhosts Authentication disabled, originating port will not be >> trusted. >> debug1: ssh_connect: needpriv 0 >> debug1: Connecting to kyle [10.0.0.5] port 22. >> debug1: Connection established. >> debug1: identity file /root/.ssh/identity type -1 >> debug1: identity file /root/.ssh/id_rsa type -1 >> debug1: identity file /root/.ssh/id_dsa type -1 >> debug1: Remote protocol version 2.0, remote software version >> OpenSSH_4.3p2 Debian-9 >> debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-Sun_SSH_1.2 >> debug1: ssh_gssapi_init_ctx(80b9370, kyle, 0, 0, 8047b28) >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-ctr hmac-md5 none >> debug1: kex: client->server aes128-ctr hmac-md5 none >> debug1: Peer sent proposed langtags, ctos: >> debug1: Peer sent proposed langtags, stoc: >> debug1: We proposed langtags, ctos: i-default >> debug1: We proposed langtags, stoc: i-default >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug1: dh_gen_key: priv key bits set: 122/256 >> debug1: bits set: 1004/2048 >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug1: Host 'kyle' is known and matches the RSA host key. >> debug1: Found key in /root/.ssh/known_hosts:5 >> debug1: bits set: 1052/2048 >> debug1: ssh_rsa_verify: signature correct >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug1: SSH2_MSG_NEWKEYS received >> debug1: done: ssh_kex2. >> debug1: send SSH2_MSG_SERVICE_REQUEST >> debug1: got SSH2_MSG_SERVICE_ACCEPT >> debug1: Authentications that can continue: >> gssapi-keyex,gssapi-with-mic,password,keyboard-interactive >> debug1: Next authentication method: gssapi-keyex >> debug1: Next authentication method: gssapi-with-mic >> debug1: ssh_gssapi_init_ctx(8106328, kyle, 0, 0, 8047ac8) >> debug1: ssh_gssapi_init_ctx(8106208, kyle, 0, 0, 8047b58) >> debug1: ssh_gssapi_init_ctx(8106208, kyle, 0, 8047b38, 8047b40) >> debug1: Authentication succeeded (gssapi-with-mic) >> debug1: channel 0: new [client-session] >> debug1: send channel open 0 >> debug1: Entering interactive session. >> debug1: ssh_session2_setup: id 0 >> debug1: channel request 0: env >> debug1: channel request 0: pty-req >> debug1: channel request 0: shell >> debug1: fd 4 setting TCP_NODELAY >> debug1: channel 0: open confirm rwindow 0 rmax 32768 >> Linux kyle 2.6.18-3-486 #1 Sun Dec 10 18:57:11 UTC 2006 i686 >> You have new mail. >> Last login: Sat Jul 5 21:18:39 2008 from telestes.eugenies.inamo.no >> 21:19:19 up 37 days, 3:06, 7 users, load average: 0.36, 0.24, 0.18 >> [21:19:20][trygvis at kyle:~]$ >> ================================================================================ >> >> >> >> This is the output when I'm connecting to my solaris zone: >> >> ================================================================================ >> >> >> -bash-3.2# ssh -v trygvis at zone0 >> Sun_SSH_1.2, SSH protocols 1.5/2.0, OpenSSL 0x0090801f >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: Rhosts Authentication disabled, originating port will not be >> trusted. >> debug1: ssh_connect: needpriv 0 >> debug1: Connecting to zone0 [10.0.0.125] port 22. >> debug1: Connection established. >> debug1: identity file /root/.ssh/identity type -1 >> debug1: identity file /root/.ssh/id_rsa type -1 >> debug1: identity file /root/.ssh/id_dsa type -1 >> debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.2 >> debug1: match: Sun_SSH_1.2 pat Sun_SSH_1.2* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-Sun_SSH_1.2 >> debug1: ssh_gssapi_init_ctx(80b9370, zone0, 0, 0, 8047b28) >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-ctr hmac-md5 none >> debug1: kex: client->server aes128-ctr hmac-md5 none >> debug1: Peer sent proposed langtags, ctos: >> ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,ta-IN,te-IN,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,ca,cs,da,el,et,fi,he,hu,ja,lt,lv,nl,no,no-NO,no-NY,pt,sr-SP,sr-YU,th,tr,i-default >> >> >> debug1: Peer sent proposed langtags, stoc: >> ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,ta-IN,te-IN,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,ca,cs,da,el,et,fi,he,hu,ja,lt,lv,nl,no,no-NO,no-NY,pt,sr-SP,sr-YU,th,tr,i-default >> >> >> debug1: We proposed langtags, ctos: i-default >> debug1: We proposed langtags, stoc: i-default >> debug1: Negotiated lang: i-default >> debug1: dh_gen_key: priv key bits set: 135/256 >> debug1: bits set: 511/1024 >> debug1: Calling gss_init_sec_context >> debug1: ssh_gssapi_init_ctx(80baa80, zone0, 0, 0, 8047b38) >> debug1: Remote: Negotiated main locale: C >> debug1: Remote: Negotiated messages locale: C >> debug1: Received KEXGSS_HOSTKEY >> Server had a GSS-API error; the connection will close (458752/2): >> No credentials were supplied, or the credentials were unavailable or >> inaccessible >> No such file or directory >> > > The ssh server is tried to take the service ticket, that was forwarded > by the client, to decrypt its contents. However, it was unable to do so > given that it wasn't able to find the "host" service keys in which the > service ticket was encrypted. The host service keys are stored, by > default, in /etc/krb5/krb5.keytab. Please create this file populated > with the associated "host" keys on the ssh server.
Right you are, thanks! [snip] -- Trygve
