[Freeipa-users] trouble with trusts and gssapi
I am trying to ssh from Windows - IPA server using GSS-API. I've tried
putty, which provides very little debug out. I then downloaded securecrt which
provides more output.
On the server side, I just see postponed gss-with-mic and then a failure
message. I'm attaching the output from securecrt. Any help would be greatly
appreciated.
Thanks,
Brian
{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\f0\fs24 \cf0 [LOCAL] : SSH2Core version 7.0.0.480 \
[LOCAL] : Connecting to ipa1.ipa.test:22 ... \
SecureCRT - Version 7.0.3 (x64 build 480)\
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT \
[LOCAL] : Using protocol SSH2 \
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.3' \
[LOCAL] : CAP : Remote can re-key \
[LOCAL] : CAP : Remote sends language in password change requests \
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets \
[LOCAL] : CAP : Remote sends algorithm name in public key packets \
[LOCAL] : CAP : Remote sends algorithm name in signatures \
[LOCAL] : CAP : Remote sends error text in open failure packets \
[LOCAL] : CAP : Remote sends name in service accept packets \
[LOCAL] : CAP : Remote includes port number in x11 open packets \
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC \
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages \
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions \
[LOCAL] : CAP : Remote correctly encodes OID for gssapi \
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests \
[LOCAL] : CAP : Remote can do SFTP version 4 \
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures \
[LOCAL] : CAP : Remote correctly handles z...@openssh.com \
[LOCAL] : SSPI : Requesting full delegation \
[LOCAL] : SSPI : [Kerberos] SPN : h...@ipa1.ipa.test \
[LOCAL] : SSPI : Requesting full delegation \
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : h...@ipa1.ipa.test \
[LOCAL] : SEND : KEXINIT \
[LOCAL] : RECV : Read kexinit \
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 \
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1 \
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss \
[LOCAL] : Selected Host Key Algo = ssh-dss \
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se \
[LOCAL] : Selected Send Cipher = aes256-ctr \
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se \
[LOCAL] : Selected Recv Cipher = aes256-ctr \
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 \
[LOCAL] : Selected Send Mac = hmac-sha1 \
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 \
[LOCAL] : Selected Recv Mac = hmac-sha1 \
[LOCAL] : Available Remote Compressors = none,z...@openssh.com \
[LOCAL] : Selected Compressor = none \
[LOCAL] : Available Remote Decompressors = none,z...@openssh.com \
[LOCAL] : Selected Decompressor = none \
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE \
[LOCAL] : SEND : KEXDH_INIT \
[LOCAL] : RECV : KEXDH_REPLY \
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS \
[LOCAL] : RECV: Remote Hostkey: 24:d9:bd:d0:4b:86:73:04:d5:b0:06:66:b4:08:7d:e1 \
[LOCAL] : SEND : NEWKEYS \
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS \
[LOCAL] : RECV : NEWKEYS \
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION \
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth] \
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK \
[LOCAL] : SENT : USERAUTH_REQUEST [none] \
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password] \
[LOCAL] : GSS SPN : h...@ipa1.ipa.test \
[LOCAL] : [SSPI/1.2.840.113554.1.2.2] : This mechanism might work. \
[LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic] \
[LOCAL] : [SSPI/1.2.840.113554.1.2.2] : Using this mechanism. \
[LOCAL] : GSS : Requesting full delegation \
[LOCAL] : SENT : USERAUTH_GSSAPI_TOKEN [3154 bytes] \
[LOCAL] : GSS : The delegation request succeeded. \
[LOCAL] : SENT : SSH_MSG_USERAUTH_GSSAPI_MIC \
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password] \
[LOCAL] : SEND:
Re: [Freeipa-users] trouble with trusts and gssapi
More info - attached var/log/secure, and sshd_config.
Password authentication works, just gssapi fails. in the securecrt provided I
have disabled password auth as an option
{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\f0\fs24 \cf0 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts\
#RhostsRSAAuthentication no\
# similar for protocol version 2\
#HostbasedAuthentication no\
# Change to yes if you don't trust ~/.ssh/known_hosts for\
# RhostsRSAAuthentication and HostbasedAuthentication\
#IgnoreUserKnownHosts no\
# Don't read the user's ~/.rhosts and ~/.shosts files\
#IgnoreRhosts yes\
\
# To disable tunneled clear text passwords, change to no here!\
#PasswordAuthentication yes\
#PermitEmptyPasswords no\
PasswordAuthentication yes\
\
# Change to no to disable s/key passwords\
#ChallengeResponseAuthentication yes\
ChallengeResponseAuthentication no\
\
# Kerberos options\
#KerberosAuthentication no\
KerberosAuthentication yes\
#KerberosOrLocalPasswd yes\
#KerberosTicketCleanup yes\
#KerberosGetAFSToken no\
#KerberosUseKuserok yes\
\
# GSSAPI options\
#GSSAPIAuthentication no\
GSSAPIAuthentication yes\
#GSSAPICleanupCredentials yes\
GSSAPICleanupCredentials yes\
#GSSAPIStrictAcceptorCheck yes\
#GSSAPIStrictAcceptorCheck no\
#GSSAPIKeyExchange no\
\
# Set this to 'yes' to enable PAM authentication, account processing, \
# and session processing. If this is enabled, PAM authentication will \
# be allowed through the ChallengeResponseAuthentication and\
# PasswordAuthentication. Depending on your PAM configuration,\
# PAM authentication via ChallengeResponseAuthentication may bypass\
# the setting of PermitRootLogin without-password.\
# If you just want the PAM account and session checks to run without\
# PAM authentication, then enable this but set PasswordAuthentication\
# and ChallengeResponseAuthentication to 'no'.\
#UsePAM no\
UsePAM yes\
\
# Accept locale-related environment variables\
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\
AcceptEnv XMODIFIERS\
\
#AllowAgentForwarding yes\
#AllowTcpForwarding yes\
#GatewayPorts no\
#X11Forwarding no\
X11Forwarding yes\
#X11DisplayOffset 10\
#X11UseLocalhost yes\
#PrintMotd yes\
#PrintLastLog yes\
#TCPKeepAlive yes\
#UseLogin no\
#UsePrivilegeSeparation yes\
#PermitUserEnvironment no\
#Compression delayed\
#ClientAliveInterval 0\
#ClientAliveCountMax 3\
#ShowPatchLevel no\
#UseDNS yes\
#UseDNS no\
\
#PidFile /var/run/sshd.pid\
#MaxStartups 10\
#PermitTunnel no\
#ChrootDirectory none\
\
# no default banner path\
#Banner none\
\
# override default of no subsystems\
Subsystem sftp /usr/libexec/openssh/sftp-server\
\
# Example of overriding settings on a per-user basis\
#Match User anoncvs\
# X11Forwarding no\
# AllowTcpForwarding no\
# ForceCommand cvs server\
}{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf340
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\f0\fs24 \cf0 Feb 18 16:02:49 ipa1 sshd[20787]: debug3: Wrote 48 bytes for a total of 117405\
Feb 18 16:02:54 ipa1 sshd[20432]: debug3: fd 5 is not O_NONBLOCK\
Feb 18 16:02:54 ipa1 sshd[20432]: debug1: Forked child 21047.\
Feb 18 16:02:54 ipa1 sshd[20432]: debug3: send_rexec_state: entering fd = 8 config len 608\
Feb 18 16:02:54 ipa1 sshd[20432]: debug3: ssh_msg_send: type 0\
Feb 18 16:02:54 ipa1 sshd[20432]: debug3: send_rexec_state: done\
Feb 18 16:02:54 ipa1 sshd[21047]: debug3: oom_adjust_restore\
Feb 18 16:02:54 ipa1 sshd[21047]: Set /proc/self/oom_score_adj to 0\
Feb 18 16:02:54 ipa1 sshd[21047]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8\
Feb 18 16:02:54 ipa1 sshd[21047]: debug1: inetd sockets after dupping: 3, 3\
Feb 18 16:02:54 ipa1 sshd[21047]: Connection from 10.3.77.43 port 63036\
Feb 18 16:02:54 ipa1 sshd[21047]: debug1: Client protocol version 2.0; client software version SecureCRT_7.0.3 (x64 build 480) SecureCRT\
Feb 18 16:02:54 ipa1 sshd[21047]: debug1: no match: SecureCRT_7.0.3 (x64 build 480) SecureCRT\
Feb 18 16:02:54 ipa1 sshd[21047]: debug1: Enabling compatibility mode for protocol 2.0\
Feb 18 16:02:54 ipa1 sshd[21047]: debug1: Local version string SSH-2.0-OpenSSH_5.3\
Feb 18 16:02:54 ipa1 sshd[21047]: debug2: fd 3 setting O_NONBLOCK\
Feb 18 16:02:54 ipa1 sshd[21047]: debug2: Network child is on pid 21048\
Feb 18 16:02:54 ipa1 sshd[21047]: debug3: preauth child monitor started\
Feb 18 16:02:54 ipa1 sshd[21047]: debug3: mm_request_receive entering\
Feb 18 16:02:54 ipa1 sshd[21048]: debug3:
