Are the tickets forwardable? kinit -f or klist -f to see flags. Eric Knauel wrote: > > Hi, > > I'm trying to set up OpenSSH 3.8.1p1 for use with GSS and Kerberos 5 > --- and it works almost fine. There are several FreeBSD 5.2 machines > here that run a sshd with GSSAPIAuthentication turned on. Together > with GSSAPIAuthentication and GSSAPIDelegateCredentials turned on in > ssh_config, I can forward my Kerberos 5 ticket and logon to every > machine without having to provide a password. All the FreeBSD > machines use Heimdal Kerberos. > > However, obtaining a ticket on a FreeBSD machine and forwarding it to > an OS X machine (v10.3.2) with the same ssh/sshd setup fails. The > sshd on the OS X machine justs sits there forever (in select()). On > the other hand, I can forward the tickets obtained on an OS X machine > to a FreeBSD machine without problems. > > Here are some debug logs. First, a FreeBSD client (duff) that is > talking to the OS X machine. Which is exactly the case, where > forwarding fails: > > ,---- > | [EMAIL PROTECTED] ~] klist > | Credentials cache: FILE:/tmp/krb5cc_Kd1UdA > | Principal: [EMAIL PROTECTED] > | > | Issued Expires Principal > | Apr 29 15:48:59 Apr 30 16:48:59 krbtgt/[EMAIL PROTECTED] > | Apr 29 15:48:59 Apr 30 16:48:59 [EMAIL PROTECTED] > | [EMAIL PROTECTED] ~] ssh -v -F ~/.ssh/config-gss midgard > | OpenSSH_3.8.1p1, OpenSSL 0.9.7c 30 Sep 2003 > | debug1: Reading configuration data > /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/config-gss > | debug1: Connecting to midgard [134.2.12.82] port 22. > | debug1: Connection established. > | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity > type -1 > | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa > type -1 > | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa > type 2 > | debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 > | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* > | debug1: Enabling compatibility mode for protocol 2.0 > | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 > | debug1: SSH2_MSG_KEXINIT sent > | debug1: SSH2_MSG_KEXINIT received > | debug1: kex: server->client aes128-cbc hmac-md5 none > | debug1: kex: client->server aes128-cbc hmac-md5 none > | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > | debug1: Host 'midgard' is known and matches the RSA host key. > | debug1: Found key in > /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191 > | debug1: ssh_rsa_verify: signature correct > | debug1: SSH2_MSG_NEWKEYS sent > | debug1: expecting SSH2_MSG_NEWKEYS > | debug1: SSH2_MSG_NEWKEYS received > | debug1: SSH2_MSG_SERVICE_REQUEST sent > | debug1: SSH2_MSG_SERVICE_ACCEPT received > | debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > | debug1: Next authentication method: gssapi-with-mic > | debug1: Delegating credentials > | [ Ends here, hangs forever ] > `---- > > The OS X machine on the other side says: > > ,---- > | %/usr/openssh/sbin/sshd -d -d > | debug2: read_server_config: filename /etc/openssh/sshd_config > | debug1: sshd version OpenSSH_3.8.1p1 > | debug1: read PEM private key done: type RSA > | debug1: private host key: #0 type 1 RSA > | debug1: read PEM private key done: type DSA > | debug1: private host key: #1 type 2 DSA > | debug1: Bind to port 22 on ::. > | debug1: Bind to port 22 on 0.0.0.0. > | Server listening on 0.0.0.0 port 22. > | debug1: Server will not fork when running in debugging mode. > | Connection from 134.2.12.76 port 49992 > | debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 > | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* > | debug1: Enabling compatibility mode for protocol 2.0 > | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 > | debug2: Network child is on pid 15624 > | debug1: permanently_set_uid: 75/75 > | debug1: list_hostkey_types: ssh-rsa,ssh-dss > | debug1: SSH2_MSG_KEXINIT sent > | debug1: SSH2_MSG_KEXINIT received > | debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro > | up1-sha1 > | debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > | debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, > | aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > | debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL > PROTECTED],hmac-sha1-96,hmac-md5-96 > | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL > PROTECTED],hmac-sha1-96,hmac-md5-96 > | debug2: kex_parse_kexinit: none,zlib > | debug2: kex_parse_kexinit: none,zlib > | debug2: kex_parse_kexinit: > | debug2: kex_parse_kexinit: > | debug2: kex_parse_kexinit: first_kex_follows 0 > | debug2: kex_parse_kexinit: reserved 0 > | debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > | debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > | debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > | debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL > PROTECTED],hmac-sha1-96,hmac-md5-96 > | debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL > PROTECTED],hmac-sha1-96,hmac-md5-96 > | debug2: kex_parse_kexinit: none,zlib > | debug2: kex_parse_kexinit: none,zlib > | debug2: kex_parse_kexinit: > | debug2: kex_parse_kexinit: > | debug2: kex_parse_kexinit: first_kex_follows 0 > | debug2: kex_parse_kexinit: reserved 0 > | debug2: mac_init: found hmac-md5 > | debug1: kex: client->server aes128-cbc hmac-md5 none > | debug2: mac_init: found hmac-md5 > | debug1: kex: server->client aes128-cbc hmac-md5 none > | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > | debug2: monitor_read: 0 used once, disabling now > | debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > | debug2: dh_gen_key: priv key bits set: 122/256 > | debug2: bits set: 512/1024 > | debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > | debug2: bits set: 517/1024 > | debug2: monitor_read: 4 used once, disabling now > | debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > | debug2: kex_derive_keys > | debug2: set_newkeys: mode 1 > | debug1: SSH2_MSG_NEWKEYS sent > | debug1: expecting SSH2_MSG_NEWKEYS > | debug2: set_newkeys: mode 0 > | debug1: SSH2_MSG_NEWKEYS received > | debug1: KEX done > | debug1: userauth-request for user knauel service ssh-connection method none > | debug1: attempt 0 failures 0 > | debug2: monitor_read: 6 used once, disabling now > | debug2: input_userauth_request: setting up authctxt for knauel > | debug2: input_userauth_request: try method none > | debug2: monitor_read: 3 used once, disabling now > | Failed none for knauel from 134.2.12.76 port 49992 ssh2 > | Failed none for knauel from 134.2.12.76 port 49992 ssh2 > | debug1: userauth-request for user knauel service ssh-connection method > gssapi-with-mic > | debug1: attempt 1 failures 1 > | debug2: input_userauth_request: try method gssapi-with-mic > | Postponed gssapi-with-mic for knauel from 134.2.12.76 port 49992 ssh2 > | debug1: Got no client credentials > | [ Ends here, hangs forever ] > `---- > > Here, it's claiming that sshd has received no credentials, which is > what I don't understand. > > When I ssh from the OS X machine midgard (which uses MIT Kerberos + > krbafs 1.2) to itself, delagating credentials seems to work fine: > > ,---- > | [...] > | debug1: userauth-request for user knauel service ssh-connection method none > | debug1: attempt 0 failures 0 > | debug2: monitor_read: 6 used once, disabling now > | debug2: input_userauth_request: setting up authctxt for knauel > | debug2: input_userauth_request: try method none > | debug2: monitor_read: 3 used once, disabling now > | Failed none for knauel from 134.2.12.82 port 52578 ssh2 > | Failed none for knauel from 134.2.12.82 port 52578 ssh2 > | debug1: userauth-request for user knauel service ssh-connection method > gssapi-with-mic > | debug1: attempt 1 failures 1 > | debug2: input_userauth_request: try method gssapi-with-mic > | Postponed gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2 > | debug1: Received some client credentials > | Authorized to knauel, krb5 principal [EMAIL PROTECTED] (krb5_kuserok) > | Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2 > | debug1: monitor_child_preauth: knauel has been authenticated by privileged process > | Accepted gssapi-with-mic for knauel from 134.2.12.82 port 52578 ssh2 > | debug2: mac_init: found hmac-md5 > | debug2: mac_init: found hmac-md5 > | debug2: User child is on pid 15835 > | debug1: permanently_set_uid: 5324/3010 > | debug2: set_newkeys: mode 0 > | debug2: set_newkeys: mode 1 > | debug1: Entering interactive session for SSH2. > | [...] > `---- > > The other end: > > ,---- > | [EMAIL PROTECTED] ~] klist -f > | Kerberos 5 ticket cache: 'API:Initial default ccache' > | Default Principal: [EMAIL PROTECTED] > | Valid Starting Expires Service Principal > | 04/29/04 15:47:46 04/30/04 01:47:46 krbtgt/[EMAIL PROTECTED] > | renew until 05/06/04 15:47:46, FPRI > | 04/29/04 15:47:56 04/30/04 01:47:46 [EMAIL PROTECTED] > | renew until 05/06/04 15:47:46, FPRT > | 04/29/04 15:48:05 04/30/04 01:47:46 host/[EMAIL PROTECTED] > | renew until 05/06/04 15:47:46, FPRT > | > | [EMAIL PROTECTED] ~] ssh -v midgard > | OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003 > | debug1: Reading configuration data /etc/openssh/ssh_config > | debug1: Connecting to midgard [134.2.12.82] port 22. > | debug1: Connection established. > | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/identity > type 0 > | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_rsa > type -1 > | debug1: identity file /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/id_dsa > type 2 > | debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 > | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* > | debug1: Enabling compatibility mode for protocol 2.0 > | debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 > | debug1: SSH2_MSG_KEXINIT sent > | debug1: SSH2_MSG_KEXINIT received > | debug1: kex: server->client aes128-cbc hmac-md5 none > | debug1: kex: client->server aes128-cbc hmac-md5 none > | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > | debug1: Host 'midgard' is known and matches the RSA host key. > | debug1: Found key in > /afs/informatik.uni-tuebingen.de/home/knauel/.ssh/known_hosts:191 > | debug1: ssh_rsa_verify: signature correct > | debug1: SSH2_MSG_NEWKEYS sent > | debug1: expecting SSH2_MSG_NEWKEYS > | debug1: SSH2_MSG_NEWKEYS received > | debug1: SSH2_MSG_SERVICE_REQUEST sent > | debug1: SSH2_MSG_SERVICE_ACCEPT received > | debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > | debug1: Next authentication method: gssapi-with-mic > | debug1: Delegating credentials > | debug1: Delegating credentials > | debug1: Authentication succeeded (gssapi-with-mic). > | debug1: channel 0: new [client-session] > | debug1: Entering interactive session. > `---- > > Any ideas why this is not working? > > -Eric > -- > "Excuse me --- Di Du Du Duuuuh Di Dii --- Huh Weeeheeee" (Albert King) > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Part 1.1.2Type: application/pgp-signature > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
