-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks to everybody who helped me to solve it. The only thing I didn't understand first was to add the host principal's key of the server I wanted to connect to to /etc/krb5.keytab on that server. What helped me most was to run the sshd daemon with highest debug (ie. the - -ddd parameter). Thank you again.
lukas On Thu, 31 Jul 2003, Lukas Kubin wrote: > On Thu, 31 Jul 2003, Vladimir Terziev wrote: > > > > > Your ssh client even has not tryed to use kerberos. I have the following > > questions: > > > > 1. Did you make `kinit' before ssh? You have to get a ticket before try kerbelized > > ssh. > > Yes, I did. > > > 2. Would you supply the result from "ldd `which ssh`" ? > > libresolv.so.2 => /lib/libresolv.so.2 (0x4001b000) > libkrb4.so.2 => /usr/lib/libkrb4.so.2 (0x4002c000) > libutil.so.1 => /lib/libutil.so.1 (0x40048000) > libz.so.1 => /usr/lib/libz.so.1 (0x4004b000) > libnsl.so.1 => /lib/libnsl.so.1 (0x40058000) > libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x4006b000) > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4015c000) > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4016e000) > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x401cc000) > libcom_err.so.2 => /lib/libcom_err.so.2 (0x401ec000) > libc.so.6 => /lib/libc.so.6 (0x401ef000) > libdes425.so.3 => /usr/lib/libdes425.so.3 (0x402ff000) > libdl.so.2 => /lib/libdl.so.2 (0x40303000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > > Thanks. > > lukas > > > > > Vlady > > > > > > On Thu, 31 Jul 2003 11:33:42 +0200 (CEST) > > Lukas Kubin <[EMAIL PROTECTED]> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On Thu, 31 Jul 2003, Vladimir Terziev wrote: > > > > > > > > > > > Please supply the full debug output from `ssh -v' and I'll try to figure out > > > > the problem. > > > > > > > > > > > > Vlady > > > > > > OK, thank you. The output follows: > > > > > > OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1 Debian_krb5 > > > 3.6.1p2-1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f > > > debug1: Reading configuration data /etc/ssh/ssh_config > > > debug1: Rhosts Authentication disabled, originating port will not be > > > trusted. > > > debug1: Connecting to <deleted> [<deleted>] port 22. > > > debug1: Connection established. > > > debug1: identity file /home/lukas/.ssh/identity type -1 > > > debug1: identity file /home/lukas/.ssh/id_rsa type 1 > > > debug1: identity file /home/lukas/.ssh/id_dsa type -1 > > > debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1 > > > Debian_krb5 3.4p1-0woody1 > > > debug1: match: OpenSSH_3.4p1 Debian_krb5 3.4p1-0woody1 pat > > > OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5* > > > debug1: Enabling compatibility mode for protocol 2.0 > > > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 > > > Debian_krb5 3.6.1p2-1 Debian_krb5 3.6.1p2-1 > > > debug1: Mechanism encoded as toWM5Slw5Ew8Mqkay+al2g== > > > debug1: Mechanism encoded as A/vxljAEU54gt9a48EiANQ== > > > debug1: SSH2_MSG_KEXINIT sent > > > debug1: SSH2_MSG_KEXINIT received > > > debug1: kex: server->client aes128-cbc hmac-md5 none > > > debug1: kex: client->server aes128-cbc hmac-md5 none > > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > > debug1: Host '<deleted>' is known and matches the RSA host key. > > > debug1: Found key in /home/lukas/.ssh/known_hosts:19 > > > debug1: ssh_rsa_verify: signature correct > > > debug1: SSH2_MSG_NEWKEYS sent > > > debug1: expecting SSH2_MSG_NEWKEYS > > > debug1: SSH2_MSG_NEWKEYS received > > > debug1: SSH2_MSG_SERVICE_REQUEST sent > > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > debug1: Next authentication method: external-keyx > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > debug1: Next authentication method: gssapi > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > debug1: Next authentication method: publickey > > > debug1: Trying private key: /home/lukas/.ssh/identity > > > debug1: Offering public key: /home/lukas/.ssh/id_rsa > > > debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x808bb28 hint > > > 1 > > > debug1: PEM_read_PrivateKey failed > > > debug1: read PEM private key done: type <unknown> > > > Enter passphrase for key '/home/lukas/.ssh/id_rsa': > > > debug1: Trying private key: /home/lukas/.ssh/id_dsa > > > debug1: Next authentication method: keyboard-interactive > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > debug1: Next authentication method: password > > > root@<deleted>'s password: > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > Permission denied, please try again. > > > root@<deleted>'s password: > > > debug1: Authentications that can continue: > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > Permission denied, please try again. > > > root@<deleted>'s password: > > > Received disconnect from <deleted>: 2: Too many authentication failures > > > for root > > > debug1: Calling cleanup 0x8061400(0x0) > > > > > > > > > > > > > > On Thu, 31 Jul 2003 09:37:29 +0200 (CEST) > > > > Lukas Kubin <[EMAIL PROTECTED]> wrote: > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > Hash: SHA1 > > > > > > > > > > I tried it but it didn't work. I have > > > > > > > > > > 1. created .k5login file in the root's home at remote server and put > > > > > [EMAIL PROTECTED] there > > > > > 2. used the command "ssh -v [EMAIL PROTECTED]" > > > > > > > > > > But the server still wants me to authenticate using public key or password > > > > > only. This is part of what it returned with the "-v" option: > > > > > > > > > > ========== > > > > > debug1: Authentications that can continue: > > > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > > > debug1: Next authentication method: external-keyx > > > > > debug1: Authentications that can continue: > > > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > > > debug1: Next authentication method: gssapi > > > > > debug1: Authentications that can continue: > > > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > > > debug1: Authentications that can continue: > > > > > external-keyx,gssapi,publickey,password,keyboard-interactive > > > > > debug1: Next authentication method: publickey > > > > > ========== > > > > > > > > > > Both server and client are Debian Linux with kerberized OpenSSH (from the > > > > > supplied package). > > > > > What should I try next to make it work? > > > > > Thank you. > > > > > > > > > > lukas > > > > > > > > > > On Wed, 30 Jul 2003, Steve Langasek wrote: > > > > > > > > > > > On Wed, Jul 30, 2003 at 04:00:28PM +0200, Lukas Kubin wrote: > > > > > > > > > > > > > How can I login through SSH to administer a remote server? I mean, I have > > > > > > > a principal, say "user" and need to authenticate using kerberized SSH to > > > > > > > become root on the remote server. > > > > > > > Thank you. > > > > > > > > > > > > If using gssapi or krb5 authentication, you would add that principal to > > > > > > root's .k5login file; acquire a TGT for that user; and run > > > > > > 'ssh [EMAIL PROTECTED]' or 'ssh -l root server'. This will grant you > > > > > > Kerberos-based access to the root account. > > > > > > > > > > > > -- > > > > > > Steve Langasek > > > > > > postmodern programmer > > > > > > > > > > > > > > > > > > > > > > - -- > > > > > Lukas Kubin > > > > > > > > > > phone: +420596398285 > > > > > email: [EMAIL PROTECTED] > > > > > > > > > > Information centre > > > > > The School of Business Administration in Karvina > > > > > Silesian University in Opava > > > > > Czech Republic > > > > > http://www.opf.slu.cz > > > > > -----BEGIN PGP SIGNATURE----- > > > > > Version: GnuPG v1.2.1 (GNU/Linux) > > > > > Comment: Made with pgp4pine 1.75-6 > > > > > > > > > > iD8DBQE/KMc/hukdIiZrwu4RAsoAAJ9c2ECgX0L+gobc+mfESo8Y1K6YjwCgigGu > > > > > 1zdOgKB73w3pXr5yeLvhkjc= > > > > > =uLna > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > > ________________________________________________ > > > > > Kerberos mailing list [EMAIL PROTECTED] > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > ________________________________________________ > > > > Kerberos mailing list [EMAIL PROTECTED] > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > - -- > > > Lukas Kubin > > > > > > phone: +420596398285 > > > email: [EMAIL PROTECTED] > > > > > > Information centre > > > The School of Business Administration in Karvina > > > Silesian University in Opava > > > Czech Republic > > > http://www.opf.slu.cz > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.2.1 (GNU/Linux) > > > Comment: Made with pgp4pine 1.75-6 > > > > > > iD8DBQE/KOJ7hukdIiZrwu4RAqRtAKCD/Y7mRUxRoA6umGKiA5vRTHEcggCeKYdh > > > 15vZufrH48MITRw8CDIz8Js= > > > =AyBM > > > -----END PGP SIGNATURE----- > > > > > > > > > ________________________________________________ > > > Kerberos mailing list [EMAIL PROTECTED] > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > Lukas Kubin > > phone: +420596398285 > email: [EMAIL PROTECTED] > > Information centre > The School of Business Administration in Karvina > Silesian University in Opava > Czech Republic > http://www.opf.slu.cz > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos > > ------------ Output from gpg ------------ > gpg: Signature made Thu Jul 31 13:31:51 2003 CEST using DSA key ID 266BC2EE > gpg: Good signature from "Lukas Kubin <[EMAIL PROTECTED]>" > gpg: aka "Lukas Kubin <[EMAIL PROTECTED]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 5E66 C9C5 E804 3D09 8559 9A37 86E9 1D22 266B C2EE > > - -- Lukas Kubin phone: +420596398285 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/KRovhukdIiZrwu4RAsTsAJ98vvuLDRjWhcNyWdV4l+l18LG47ACfQmjO fMboCOBw+eVgPeJTbqHldrU= =IqSf -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
