Jason.C.Burns at wellsfargo.com
2005-Nov-03 23:59 UTC
Question about GSSAPI with OpenSSH 4.2p1
Hey all, perhaps someone might be able to shed a little light on this problem. Nothing I find in books and groups seem to address the problem. I'm trying to set up a series of connections with ssh that authenticate through GSSAPI. However, it seems that the credentials are not getting passed.>From the client..debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive So we can see that the client is configured to send the tickets across...>From the Server...debug1: userauth-request for user <user>/<domain> service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 1 debug2: input_userauth_request: try method gssapi-with-mic Postponed gssapi-with-mic for <user>/<domain> from xxxx port x ssh2 debug1: Got no client credentials Failed gssapi-with-mic for <user>/<domain> from xxxxx port x ssh2 debug1: userauth-request for user <user>/<domain> service ssh-connection method keyboard-interactive What does 'Got no client credentials' mean? The client is sending them, so where do they go? Checking the ticket cache on the client... # klist Credentials cache: FILE:/tmp/krb5cc_xxx Principal: <user>/<domain>@<realm> Issued Expires Principal Nov 3 17:36:40 Nov 4 03:36:40 krbtgt/domain at realm Nov 3 17:37:52 Nov 4 03:36:40 host/<machine>@<realm> So it's even getting the ticket for the machine it is trying to go to using the tgt from the kinit. Any ideas? I'm starting to bang my head against the wall here. Thanks! Jason
* Jason.C.Burns at wellsfargo.com [2005-11-03 17:59:34 -0600]:> Hey all, perhaps someone might be able to shed a little light on this > problem. Nothing I find in books and groups seem to address the > problem. I'm trying to set up a series of connections with ssh that > authenticate through GSSAPI. However, it seems that the credentials are > not getting passed.[...]> debug1: Got no client credentials[...]> What does 'Got no client credentials' mean? The client is sending them, > so where do they go?Are you sure that the client is actually sending them? The credential delegation is buried inside the GSSAPI library, all the OpenSSH code does is to set the "delegate" flag when initialising the security context. If the library is unable to honour that flag, for example because the TGT is not forwardable, then no credential will be forwarded.> Checking the ticket cache on the client...Good idea, but...> > # klist > Credentials cache: FILE:/tmp/krb5cc_xxx > Principal: <user>/<domain>@<realm> > > Issued Expires Principal > Nov 3 17:36:40 Nov 4 03:36:40 krbtgt/domain at realmYou need to inspect the ticket flags as well. "klist -f" usually shows them (at least in the versions of klist I'm familiar with).> Nov 3 17:37:52 Nov 4 03:36:40 host/<machine>@<realm> > > So it's even getting the ticket for the machine it is trying to go to > using the tgt from the kinit.That's not a forwarded ticket, however. The forwarded ticket would not be stored in the client-side credentials cache (it isn't valid for the client's IP address, only for the server's). You can find out whether it is being issued by reading the KDC's logs or by examining the packets exchanged between the GSSAPI library (in the ssh client) and the KDC.> Any ideas? I'm starting to bang my head against the wall here.I'd guess that you forgot to ask for a forwardable TGT at kinit time. There are other possibilities (e.g., a bug in your GSSAPI library; you didn't tell us which version you are using) but hopefully they don't apply to your case.
An Ethereal trace on the client would show the Kerberos activity th the KDC and to the sshd. Jason.C.Burns at wellsfargo.com wrote:> Hey all, perhaps someone might be able to shed a little light on this > problem. Nothing I find in books and groups seem to address the > problem. I'm trying to set up a series of connections with ssh that > authenticate through GSSAPI. However, it seems that the credentials are > not getting passed. > >>From the client.. > > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > > So we can see that the client is configured to send the tickets > across... > >>From the Server... > > debug1: userauth-request for user <user>/<domain> service ssh-connection > method gssapi-with-mic > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method gssapi-with-mic > Postponed gssapi-with-mic for <user>/<domain> from xxxx port x ssh2 > debug1: Got no client credentials > Failed gssapi-with-mic for <user>/<domain> from xxxxx port x ssh2 > debug1: userauth-request for user <user>/<domain> service ssh-connection > method keyboard-interactive > > What does 'Got no client credentials' mean? The client is sending them, > so where do they go? > > Checking the ticket cache on the client... > > # klist > Credentials cache: FILE:/tmp/krb5cc_xxx > Principal: <user>/<domain>@<realm> > > Issued Expires Principal > Nov 3 17:36:40 Nov 4 03:36:40 krbtgt/domain at realm > Nov 3 17:37:52 Nov 4 03:36:40 host/<machine>@<realm> > > So it's even getting the ticket for the machine it is trying to go to > using the tgt from the kinit. > > Any ideas? I'm starting to bang my head against the wall here. > > Thanks! > > Jason > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444