[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Re: ssh + kerberosV]

To: heimdal-discuss@sics.se
Subject: [Fwd: Re: ssh + kerberosV]
From: julien TOUCHE <tj0@touche.fr.st>
Date: Sat, 29 Nov 2003 22:23:09 +0100
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3


hi

i'm trying to setup heimdal on openbsd-3.4-stable/i386. i have followed 
`info heimdal` and netbsd doc 
(http://www.netbsd.org/Documentation/network/#kerberos) to configure

kinit/klist work and i'm currently testing client/auth
i get a problem with ssh using kerberos ticket to log.

my test is on one uniq host which has host/myhost.domain and 
ssh/myhost.domain in base and  keytab.

thanks
Regards


		Julien

-------- Original Message --------
Subject: Re: ssh + kerberosV
Date: Sat, 29 Nov 2003 21:18:36 +0100
From: Matthijs Mohlmann <matthijs@active2.homelinux.org>
To: OpenBSD Misc <misc@openbsd.org>


On Sat, 2003-11-29 at 20:45, Julien TOUCHE wrote:
> Matthijs Mohlmann wrote:
> 
> >>debug3: mm_request_receive_expect entering: type 38
> >>debug3: mm_request_receive entering
> >>Postponed gssapi for touche from 192.168.2.5 port 24831 ssh2
> >>debug3: mm_request_send entering: type 39
> >>debug3: monitor_read: checking request 39
> >>debug1:  Miscellaneous failure (see text)
> >>Decrypt integrity check failed
> >>
> >>debug1: Got no client credentials
> > 
> > 
> > Got no client credentials ...
> > 
> > Do you have in /etc/ssh/ssh_config:
> > KerberosAuthentication yes
> > KerberosTGTPassing yes
> > GSSAPIAuthentication yes
> > GSSAPIDelegateCredentials yes
> > 
> > ssh doesn't forward credentials by default.
> > 
> no (they were not listed in default ssh_config so ...)
> 
> but this doesn't change much for sshd log.
> 
> ssh log contains:
> 
> debug1: Authentications that can continue: 
> publickey,gssapi,password,keyboard-interactive
> debug3: start over, passed a different list 
> publickey,gssapi,password,keyboard-interactive
> debug3: preferred gssapi,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi
> debug1: Next authentication method: gssapi
> debug2: we sent a gssapi packet, wait for reply
> debug1: Delegating credentials
> debug1: Authentications that can continue: 
> publickey,gssapi,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> 
> and when i check my ticket (same term than ssh)
> $ klist -f
> Credentials cache: FILE:/tmp/krb5cc_1000
>          Principal: touche@VPN.WWW
> 
>    Issued           Expires        Flags    Principal
> Nov 29 20:38:10  Nov 30 06:38:10  FI     krbtgt/VPN.WWW@VPN.WWW
> Nov 29 20:38:27  Nov 30 06:38:10         host/etenemanki.vpn.www@VPN.WWW
> 
> in kdc.log (most probably the kinit and after ssh ?):
> 

Your klist looks ok. It's the same here.

I think you have to post on a heimdal/mit mailling list

I'm through my options.

> 2003-11-29T20:37:18 sending 621 bytes to IPv4:192.168.2.5
> 2003-11-29T20:38:10 AS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
> krbtgt/VPN.WWW@VPN.WWW
> 2003-11-29T20:38:10 Using des3-cbc-sha1/des3-cbc-sha1
> 2003-11-29T20:38:10 Requested flags: forwardable
> 2003-11-29T20:38:10 sending 560 bytes to IPv4:192.168.2.5
> 2003-11-29T20:38:27 TGS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
> host/etenemanki.vpn.www@VPN.WWW
> 2003-11-29T20:38:27 sending 588 bytes to IPv4:192.168.2.5
> 2003-11-29T20:38:27 TGS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
> krbtgt/VPN.WWW@VPN.WWW [forwarded, forwardable]
> 2003-11-29T20:38:27 sending 621 bytes to IPv4:192.168.2.5

Prev by Date: Re: problem: default realm in openssh
Prev by thread: Re: Switching to sub searches for hdb-ldap.c
Index(es):
- Date
- Thread