[Freeipa-users] trouble with trusts and gssapi
I am trying to ssh from Windows - IPA server using GSS-API. I've tried putty, which provides very little debug out. I then downloaded securecrt which provides more output. On the server side, I just see postponed gss-with-mic and then a failure message. I'm attaching the output from securecrt. Any help would be greatly appreciated. Thanks, Brian {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340 {\fonttbl\f0\fswiss\fcharset0 Helvetica;} {\colortbl;\red255\green255\blue255;} \margl1440\margr1440\vieww10800\viewh8400\viewkind0 \pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural \f0\fs24 \cf0 [LOCAL] : SSH2Core version 7.0.0.480 \ [LOCAL] : Connecting to ipa1.ipa.test:22 ... \ SecureCRT - Version 7.0.3 (x64 build 480)\ [LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT \ [LOCAL] : Using protocol SSH2 \ [LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.3' \ [LOCAL] : CAP : Remote can re-key \ [LOCAL] : CAP : Remote sends language in password change requests \ [LOCAL] : CAP : Remote sends algorithm name in PK_OK packets \ [LOCAL] : CAP : Remote sends algorithm name in public key packets \ [LOCAL] : CAP : Remote sends algorithm name in signatures \ [LOCAL] : CAP : Remote sends error text in open failure packets \ [LOCAL] : CAP : Remote sends name in service accept packets \ [LOCAL] : CAP : Remote includes port number in x11 open packets \ [LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC \ [LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages \ [LOCAL] : CAP : Remote correctly handles unknown SFTP extensions \ [LOCAL] : CAP : Remote correctly encodes OID for gssapi \ [LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests \ [LOCAL] : CAP : Remote can do SFTP version 4 \ [LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures \ [LOCAL] : CAP : Remote correctly handles z...@openssh.com \ [LOCAL] : SSPI : Requesting full delegation \ [LOCAL] : SSPI : [Kerberos] SPN : h...@ipa1.ipa.test \ [LOCAL] : SSPI : Requesting full delegation \ [LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : h...@ipa1.ipa.test \ [LOCAL] : SEND : KEXINIT \ [LOCAL] : RECV : Read kexinit \ [LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 \ [LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1 \ [LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss \ [LOCAL] : Selected Host Key Algo = ssh-dss \ [LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se \ [LOCAL] : Selected Send Cipher = aes256-ctr \ [LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se \ [LOCAL] : Selected Recv Cipher = aes256-ctr \ [LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 \ [LOCAL] : Selected Send Mac = hmac-sha1 \ [LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 \ [LOCAL] : Selected Recv Mac = hmac-sha1 \ [LOCAL] : Available Remote Compressors = none,z...@openssh.com \ [LOCAL] : Selected Compressor = none \ [LOCAL] : Available Remote Decompressors = none,z...@openssh.com \ [LOCAL] : Selected Decompressor = none \ [LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE \ [LOCAL] : SEND : KEXDH_INIT \ [LOCAL] : RECV : KEXDH_REPLY \ [LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS \ [LOCAL] : RECV: Remote Hostkey: 24:d9:bd:d0:4b:86:73:04:d5:b0:06:66:b4:08:7d:e1 \ [LOCAL] : SEND : NEWKEYS \ [LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS \ [LOCAL] : RECV : NEWKEYS \ [LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION \ [LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth] \ [LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK \ [LOCAL] : SENT : USERAUTH_REQUEST [none] \ [LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password] \ [LOCAL] : GSS SPN : h...@ipa1.ipa.test \ [LOCAL] : [SSPI/1.2.840.113554.1.2.2] : This mechanism might work. \ [LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic] \ [LOCAL] : [SSPI/1.2.840.113554.1.2.2] : Using this mechanism. \ [LOCAL] : GSS : Requesting full delegation \ [LOCAL] : SENT : USERAUTH_GSSAPI_TOKEN [3154 bytes] \ [LOCAL] : GSS : The delegation request succeeded. \ [LOCAL] : SENT : SSH_MSG_USERAUTH_GSSAPI_MIC \ [LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password] \ [LOCAL] : SEND:
Re: [Freeipa-users] trouble with trusts and gssapi
More info - attached var/log/secure, and sshd_config. Password authentication works, just gssapi fails. in the securecrt provided I have disabled password auth as an option {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340 {\fonttbl\f0\fswiss\fcharset0 Helvetica;} {\colortbl;\red255\green255\blue255;} \margl1440\margr1440\vieww10800\viewh8400\viewkind0 \pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural \f0\fs24 \cf0 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts\ #RhostsRSAAuthentication no\ # similar for protocol version 2\ #HostbasedAuthentication no\ # Change to yes if you don't trust ~/.ssh/known_hosts for\ # RhostsRSAAuthentication and HostbasedAuthentication\ #IgnoreUserKnownHosts no\ # Don't read the user's ~/.rhosts and ~/.shosts files\ #IgnoreRhosts yes\ \ # To disable tunneled clear text passwords, change to no here!\ #PasswordAuthentication yes\ #PermitEmptyPasswords no\ PasswordAuthentication yes\ \ # Change to no to disable s/key passwords\ #ChallengeResponseAuthentication yes\ ChallengeResponseAuthentication no\ \ # Kerberos options\ #KerberosAuthentication no\ KerberosAuthentication yes\ #KerberosOrLocalPasswd yes\ #KerberosTicketCleanup yes\ #KerberosGetAFSToken no\ #KerberosUseKuserok yes\ \ # GSSAPI options\ #GSSAPIAuthentication no\ GSSAPIAuthentication yes\ #GSSAPICleanupCredentials yes\ GSSAPICleanupCredentials yes\ #GSSAPIStrictAcceptorCheck yes\ #GSSAPIStrictAcceptorCheck no\ #GSSAPIKeyExchange no\ \ # Set this to 'yes' to enable PAM authentication, account processing, \ # and session processing. If this is enabled, PAM authentication will \ # be allowed through the ChallengeResponseAuthentication and\ # PasswordAuthentication. Depending on your PAM configuration,\ # PAM authentication via ChallengeResponseAuthentication may bypass\ # the setting of PermitRootLogin without-password.\ # If you just want the PAM account and session checks to run without\ # PAM authentication, then enable this but set PasswordAuthentication\ # and ChallengeResponseAuthentication to 'no'.\ #UsePAM no\ UsePAM yes\ \ # Accept locale-related environment variables\ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\ AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\ AcceptEnv XMODIFIERS\ \ #AllowAgentForwarding yes\ #AllowTcpForwarding yes\ #GatewayPorts no\ #X11Forwarding no\ X11Forwarding yes\ #X11DisplayOffset 10\ #X11UseLocalhost yes\ #PrintMotd yes\ #PrintLastLog yes\ #TCPKeepAlive yes\ #UseLogin no\ #UsePrivilegeSeparation yes\ #PermitUserEnvironment no\ #Compression delayed\ #ClientAliveInterval 0\ #ClientAliveCountMax 3\ #ShowPatchLevel no\ #UseDNS yes\ #UseDNS no\ \ #PidFile /var/run/sshd.pid\ #MaxStartups 10\ #PermitTunnel no\ #ChrootDirectory none\ \ # no default banner path\ #Banner none\ \ # override default of no subsystems\ Subsystem sftp /usr/libexec/openssh/sftp-server\ \ # Example of overriding settings on a per-user basis\ #Match User anoncvs\ # X11Forwarding no\ # AllowTcpForwarding no\ # ForceCommand cvs server\ }{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340 {\fonttbl\f0\fswiss\fcharset0 Helvetica;} {\colortbl;\red255\green255\blue255;} \margl1440\margr1440\vieww10800\viewh8400\viewkind0 \pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural \f0\fs24 \cf0 Feb 18 16:02:49 ipa1 sshd[20787]: debug3: Wrote 48 bytes for a total of 117405\ Feb 18 16:02:54 ipa1 sshd[20432]: debug3: fd 5 is not O_NONBLOCK\ Feb 18 16:02:54 ipa1 sshd[20432]: debug1: Forked child 21047.\ Feb 18 16:02:54 ipa1 sshd[20432]: debug3: send_rexec_state: entering fd = 8 config len 608\ Feb 18 16:02:54 ipa1 sshd[20432]: debug3: ssh_msg_send: type 0\ Feb 18 16:02:54 ipa1 sshd[20432]: debug3: send_rexec_state: done\ Feb 18 16:02:54 ipa1 sshd[21047]: debug3: oom_adjust_restore\ Feb 18 16:02:54 ipa1 sshd[21047]: Set /proc/self/oom_score_adj to 0\ Feb 18 16:02:54 ipa1 sshd[21047]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8\ Feb 18 16:02:54 ipa1 sshd[21047]: debug1: inetd sockets after dupping: 3, 3\ Feb 18 16:02:54 ipa1 sshd[21047]: Connection from 10.3.77.43 port 63036\ Feb 18 16:02:54 ipa1 sshd[21047]: debug1: Client protocol version 2.0; client software version SecureCRT_7.0.3 (x64 build 480) SecureCRT\ Feb 18 16:02:54 ipa1 sshd[21047]: debug1: no match: SecureCRT_7.0.3 (x64 build 480) SecureCRT\ Feb 18 16:02:54 ipa1 sshd[21047]: debug1: Enabling compatibility mode for protocol 2.0\ Feb 18 16:02:54 ipa1 sshd[21047]: debug1: Local version string SSH-2.0-OpenSSH_5.3\ Feb 18 16:02:54 ipa1 sshd[21047]: debug2: fd 3 setting O_NONBLOCK\ Feb 18 16:02:54 ipa1 sshd[21047]: debug2: Network child is on pid 21048\ Feb 18 16:02:54 ipa1 sshd[21047]: debug3: preauth child monitor started\ Feb 18 16:02:54 ipa1 sshd[21047]: debug3: mm_request_receive entering\ Feb 18 16:02:54 ipa1 sshd[21048]: debug3: