Matthias Gerstner
2005-Nov-27 16:53 UTC
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Greetings,
I'm working on the infrastructure of a medium size client/server
environment using an Active Directory running on Windows Server 2003 for
central authentication of users on linux clients.
Additionally OpenAFS is running using Kerberos authentication through
Active Directory as well.
Now I want to grant users remote access to their AFS data by logging in
into a central OpenSSH server running on linux.
As authentication at the Active Directory works well when logging in
locally on the linux clients using PAM I wanted to use PAM also for the
SSH access.
Unfortunately I've run into problems trying to get the OpenSSH setup
running. I have tried OpenSSH PAM support and OpenSSH's internal
kerberos support. But both result in errors.
When using PAM authentication (using the same PAM stack we're using for
local authentication on the clients that works with pam_krb5.so) I can
successfully login on the OpenSSH server but don't get the Kerberos5
ticket written to /tmp/krb5cc_[...]. The following error is written to
the logs:
--
-bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found)
--
Also the variable KRB5CCNAME isn't defined. I've investigated about this
problem already on the net and tried different setups and approaches but
to no avail. I need the kerberos5 ticket for use of OpenAFS.
When trying internal Kerberos support of OpenSSH I can't login at all
while getting the following error messages in the log:
--
GSSAPI Error: Miscellaneous failure (Credentials cache permission incorrect)
Failed password for <user> from <ip> port <port> ssh2
--
I had a look at the responsible source code in auth-krb5.c. By doing
some debugging there I found out that the following code fragment fails:
auth-krb5.c:137
---
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name)) {
problem = -1;
goto out;
}
---
When I comment out this if-block then I can login using OpenSSH's
internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME.
I'm not that involved into kerberos on the coding side. What does the
krb5_kuserok method do exactly? Why could it fail? Is it critical to
comment it out?
I'd be happy if somebody had a solution or an advice for me. The best
would be to get PAM authentication to correctly write the kerberos
ticket to file.
Oh, and here is some more data about my OpenSSH server system:
It's running on Gentoo Linux using
- OpenSSH 4.2_p1 with kerberos, ldap and pam support enabled
- mit-krb5-1.4.1-r2 with krb4 support enabled
- pam_krb5-1.0-r1
- pam-0.78-r3
Thanks in advance for your support,
Matthias Gerstner
--
Matthias.Gerstner at nefkom.net
Darren Tucker
2005-Nov-28 06:48 UTC
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
On Sun, Nov 27, 2005 at 05:53:12PM +0100, Matthias Gerstner wrote:> I'm working on the infrastructure of a medium size client/server > environment using an Active Directory running on Windows Server 2003 for > central authentication of users on linux clients. > Additionally OpenAFS is running using Kerberos authentication through > Active Directory as well. > > Now I want to grant users remote access to their AFS data by logging in > into a central OpenSSH server running on linux. > > As authentication at the Active Directory works well when logging in > locally on the linux clients using PAM I wanted to use PAM also for the > SSH access. > > Unfortunately I've run into problems trying to get the OpenSSH setup > running. I have tried OpenSSH PAM support and OpenSSH's internal > kerberos support. But both result in errors.One thing worth trying: make sure you're using sshd's PasswordAuthentication and not ChallengeResponseAuthentication. You can test this with "ssh -o PreferredAuthentications=password yoursever", and if it works you can set PasswordAuthentication=yes and ChallengeResponseAuthentication=no in sshd_config to require it from your clients. For the gory details see http://bugzilla.mindrot.org/show_bug.cgi?id=688> When using PAM authentication (using the same PAM stack we're using for > local authentication on the clients that works with pam_krb5.so) I can > successfully login on the OpenSSH server but don't get the Kerberos5 > ticket written to /tmp/krb5cc_[...]. The following error is written to > the logs: > > -- > -bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found)I don't know why bash would care about GSSAPI.> Also the variable KRB5CCNAME isn't defined. I've investigated about this > problem already on the net and tried different setups and approaches but > to no avail. I need the kerberos5 ticket for use of OpenAFS. > > When trying internal Kerberos support of OpenSSH I can't login at all > while getting the following error messages in the log:I can't comment much on the GSSAPI errors, except.. [...]> When I comment out this [krb5_kuserok] then I can login using OpenSSH's > internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME. > I'm not that involved into kerberos on the coding side. What does the > krb5_kuserok method do exactly? Why could it fail? Is it critical to > comment it out?The man page for krb5_kuserok says, in part: This function takes a local user name and verifies if principal is allowed to log in as that user. First krb5_kuserok check if there is a local account name username. If there isn't, krb5_kuserok returns FALSE. Then krb5_kuserok checks if principal is the same as user at realm in any of the default realms. If that is the case, krb5_kuserok returns TRUE.> Oh, and here is some more data about my OpenSSH server system: > It's running on Gentoo Linux using > - OpenSSH 4.2_p1 with kerberos, ldap and pam support enabledThe main OpenSSH distribution does not have LDAP support. Is this modified? Have you enabled LDAP support in /etc/nsswitch.conf?> Thanks in advance for your support,You're welcome. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Douglas E. Engert
2005-Nov-28 15:22 UTC
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Matthias Gerstner wrote:> Greetings, > > I'm working on the infrastructure of a medium size client/server > environment using an Active Directory running on Windows Server 2003 for > central authentication of users on linux clients. > Additionally OpenAFS is running using Kerberos authentication through > Active Directory as well. >This sounds like our site, AD for the KDCs, and OpenAFS, but we have some extra pam routines, pam_afs2 and pam_krb5_ccache, for systems where the vendor's pam_krb5 does not know about AFS.> Now I want to grant users remote access to their AFS data by logging in > into a central OpenSSH server running on linux. > > As authentication at the Active Directory works well when logging in > locally on the linux clients using PAM I wanted to use PAM also for the > SSH access. > > Unfortunately I've run into problems trying to get the OpenSSH setup > running. I have tried OpenSSH PAM support and OpenSSH's internal > kerberos support. But both result in errors. > > When using PAM authentication (using the same PAM stack we're using for > local authentication on the clients that works with pam_krb5.so) I can > successfully login on the OpenSSH server but don't get the Kerberos5 > ticket written to /tmp/krb5cc_[...]. The following error is written to > the logs: >> -- > -bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found) > -- >Does the host have a host/<fqdn>@<REALM> principal in the krb5.keytab?> Also the variable KRB5CCNAME isn't defined. I've investigated about this > problem already on the net and tried different setups and approaches but > to no avail. I need the kerberos5 ticket for use of OpenAFS. >DOes it write it to some other location?> When trying internal Kerberos support of OpenSSH I can't login at all > while getting the following error messages in the log: > > -- > GSSAPI Error: Miscellaneous failure (Credentials cache permission incorrect) > Failed password for <user> from <ip> port <port> ssh2 > -- > > I had a look at the responsible source code in auth-krb5.c. By doing > some debugging there I found out that the following code fragment fails: > > auth-krb5.c:137 > --- > if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, > authctxt->pw->pw_name)) { > problem = -1; > goto out; > } > --- > > When I comment out this if-block then I can login using OpenSSH's > internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME.> > I'm not that involved into kerberos on the coding side. What does the > krb5_kuserok method do exactly? Why could it fail? Is it critical to > comment it out?Yes it is critical. It is an authorization check that says this user principal is allowed to use this local unix account. It looks at the ~/.k5login and the krb5.conf [realm] auth_to_local variables to do test the mapping. By default, if the kerberos principal is user at realm and the local account is username and user == username and realm == default-realm-of-host, then krb5_kuserok does not need to check the .k5login. (With AD the realm is the uppercase of the AD domain name, fully qualified)> > I'd be happy if somebody had a solution or an advice for me. The best > would be to get PAM authentication to correctly write the kerberos > ticket to file. > > Oh, and here is some more data about my OpenSSH server system: > > It's running on Gentoo Linux using > > - OpenSSH 4.2_p1 with kerberos, ldap and pam support enabled > - mit-krb5-1.4.1-r2 with krb4 support enabled > - pam_krb5-1.0-r1 > - pam-0.78-r3 > > Thanks in advance for your support, > > Matthias Gerstner > -- > Matthias.Gerstner at nefkom.net > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Douglas E. Engert
2005-Dec-01 12:50 UTC
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Darren Tucker wrote:> On Wed, Nov 30, 2005 at 02:48:43PM -0600, Douglas E. Engert wrote: > >>Sort of. Either pam_krb5 (if using "ChallangeResponse yes") or sshd >>directly with "KerberosAuthentication yes" will use the username and password >>to get a ticket granting ticket (TGT). > > > Minor nitpick: PasswordAuthentication also uses PAM in 3.9p1 and up > (and 3.6.1p2 and below), so for current versions the first part of > that would more correctly be "UsePAM yes" and either (or both) of > "ChallengeResponseAuthentication yes" and "PasswordAuthentication yes". >It also looks like it depends on if sshd was compled with --with-kerberos5 It looks like in auth-passwd.c in auth_password() will call auth_krb5_password before the test for use_pam. auth_krb5_password calls Kerberos directly. (I am looking at OpenSSH-4.1p1) So in effect it could try the Kerberos password twice once via auth_krb5_password and once via pam_krb5. I think we have seen this, but never knew why! -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444