[Bug 675448] Re: ssh does not authenticate against kerberos
There was a fix for some other ssh related bug, but this fix seems to have fixed this bug too. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/675448 Title: ssh does not authenticate against kerberos -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
[Expired for openssh (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openssh (Ubuntu) Status: Incomplete = Expired -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. https://bugs.launchpad.net/bugs/675448 Title: ssh does not authenticate against kerberos -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
After fixing gss_init_sec_context by installing latest available gss- libraries. The problem is mostly gone. The remainig problem: ssh -l tu auth - password asked ssh -l tu auth.local - no password asked is quite annoying. Digging further down into it. -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
The remainig problem is by ssh: the client does not, regardless of setting GSSAPITrustDNS to yes or no, correctly canonicalize the given hostname. -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
Conclusion: the handbook shall state: 1. make sure your DNS configuration is correct. It is enough to test on *all* clients: - host fqdn - host shortname (without domain) - host ipaddr should handle you the same address and name! 2. make sure your localhost is correct - host localhost - host 127.0.0.1 should handle you the same address and name! 3. make sure you entered the fqdn creating credentials. 4. make sure you entered the fqdn exporting keys. 5. while it is recommended to create one key table per service, not all services are configurable where they look for this key table. Some assume /etc/krb5.keytab blindly. You'll have to export keys into this one file for these. 6. make sure all parts of kerberos are most actual. -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
7. This goes out to the maintainer of the package: make the
configuration as minimal as possible. No stuff not necessary (except
comments). No useless entries. This is especially true for
/etc/krb5.conf! It isn't helpful at all having a bloated configuration
if you're looking for something like kerberos getting it to work.
Some useful configuration could be:
- snipp
-
[libdefaults]
default_realm = LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
LOCAL = {
kdc = auth.local
admin_server = auth.local
}
[domain_realm]
.local = LOCAL
local = LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/kerberos/krb5lib.log
- snapp
-
The domain could be derived from the computers domain while installing.
The realm could be the uppercase of this domain.
The original file is, in my humble opinion, worth to be installed into
/usr/share/doc/krb5-config (or the like).
--
ssh does not authenticate against kerberos
https://bugs.launchpad.net/bugs/675448
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
The error seems to be related to gss_init_sec_context. All host that do not authenticate successful against krb5 breaking after Calling gss_init_sec_context, while Delegating credentials. At this moment the connection is closed. This affects all tools using GSSAPI. I do not think this is a bug with priority low. It is something that has to be fixed --- it renders Ubuntu unusable in enterprise environments! ** Attachment added: Working host. https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/675448/+attachment/1745368/+files/auth.log -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
** Attachment added: Not working host. https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/675448/+attachment/1745370/+files/bacula.log -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
First of all, because it makes me angry: WHERE IS A WAY IN LAUNCHPAD TO ACCESS BUGS REPORTED BY ME WITHOUT KNOWING THE BUG ID??? Seems missing, was there. I'd really like to have it back! Launchpad is nonsense if I can't access bug reports without knowledge of the URL. OK. Maybe someone notices it this way! I've changed setup slightly to make it more convenient with DNS: 192.168.1.24 kvm-test 192.168.1.25 auth 192.168.1.26 UB0001 all names are resolved: ! UB0001:~% host kvm-test ! kvm-test.local has address 192.168.1.24 ! UB0001:~% host ub0001 ! ub0001.local has address 192.168.1.26 ! UB0001:~% host auth ! auth.local has address 192.168.1.25 Principals are created: ! host/ub0001.lo...@xompu.de ! host/auth.lo...@xompu.de ! host/kvm-test.lo...@xompu.de Keytab is updated. I've used ! ank -randkey host/kvm-test ! ktadd -k /tmp/krb5.keytab -norandkey host/kvm-test The generated file /tmp/krb5.keytab was copied to the machine in question. All fine so far. Logging in to kvm-test succeeds with the krb5-password: ! Linux kvm-test 2.6.35-22-server #35-Ubuntu SMP ! Sat Oct 16 22:02:33 UTC 2010 x86_64 GNU/Linux Ubuntu 10.10 ! ! Welcome to the Ubuntu Server! ! * Documentation: http://www.ubuntu.com/server/doc ! Last login: Wed Nov 17 12:38:53 2010 from ub0001.local ! t...@kvm-test:~$ klist ! Ticket cache: FILE:/tmp/krb5cc_2023_AM9554 ! Default principal: t...@local ! ! Valid starting ExpiresService principal ! 11/17/10 12:46:29 11/17/10 22:46:29 krbtgt/lo...@local !renew until 11/18/10 12:46:19 Now since I've got a ticket I might login to auth or ub0001 without authehticating again: ! t...@kvm-test:~$ ssh ub0001 ! t...@ub0001's password: No? Didn't I received a tgt from the krb5-server? ! t...@kvm-test:~$ klist ! Ticket cache: FILE:/tmp/krb5cc_2023_AM9554 ! Default principal: t...@local ! ! Valid starting ExpiresService principal ! 11/17/10 12:46:29 11/17/10 22:46:29 krbtgt/lo...@local !renew until 11/18/10 12:46:19 I did. Not working? OK. Trying rsh. ! UB0001:~% rsh -x kvm-test ! UB0001:~% Fails without notice. Looks like something realy going wrong. Trying the auth-server all alone: ! UB0001:~% ssh auth ! t...@auth's password: ! Linux auth 2.6.32-25-server #45-Ubuntu SMP ! Sat Oct 16 20:06:58 UTC 2010 x86_64 GNU/Linux Ubuntu 10.04.1 LTS ! ! Welcome to the Ubuntu Server! ! * Documentation: http://www.ubuntu.com/server/doc ! ! Last login: Wed Nov 17 12:41:30 2010 from ub0001.xompu.de ! t...@auth:~$ klist ! Ticket cache: FILE:/tmp/krb5cc_1000_mB3672 ! Default principal: t...@local ! ! Valid starting ExpiresService principal ! 11/17/10 12:56:52 11/17/10 22:56:52 krbtgt/lo...@local ! renew until 11/18/10 12:56:52 Looks OK. Now from self to self: ! t...@auth:~$ ssh auth ! t...@auth's password: The same for rsh, telnet, ... all want, if not failing silently, the password for the user. -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 675448] Re: ssh does not authenticate against kerberos
According to the log file: keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Is there a principal created for 192.168.1.111? I don't think that using IP addresses is the best option for kerberos. ** Changed in: openssh (Ubuntu) Importance: Undecided = Low ** Changed in: openssh (Ubuntu) Status: New = Incomplete -- ssh does not authenticate against kerberos https://bugs.launchpad.net/bugs/675448 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
