[Bug 675448] [NEW] ssh does not authenticate against kerberos

Thomas Schweikle 675448 at bugs.launchpad.net
Mon Nov 15 09:33:23 GMT 2010 

Public bug reported:

sshd is set up to authenticate using GSSAPI, but this never succeeds,
falling back to any other configured authentication method. If all are
forbidden, authentication fails without giving a useful reason.

On a local(!) system assume:
user test exists, krb5 is running fine, PAM is set up to use krb5. After loging in:

% ssh -l test 192.168.1.111
$ klist
Ticket cache: FILE:/tmp/krb5cc_2023
Default principal: test at TEST.DE

Valid starting     Expires            Service principal
11/15/10 10:22:38  11/15/10 20:22:38  krbtgt/TEST.DE at TEST.DE
        renew until 11/16/10 10:22:35

Now that I have a ticket, I'd awaited to be automaticaly authenticated to log on on the very same server using ssh
$ ssh 192.168.1.111
test at 192.168.1.111's password:

I am asked the password! Bad. Same with "-v":
$ ssh -v 192.168.1.111
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.111 [192.168.1.111] port 22.
debug1: Connection established.
debug1: identity file /home/test/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/test/.ssh/id_rsa-cert type -1
debug1: identity file /home/test/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/test/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.111' is known and matches the RSA host key.
debug1: Found key in /home/test/.ssh/known_hosts:5
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Offering public key: /home/test/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering public key: /home/test/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
test at 192.168.1.111's password: 

Easy too see: GSSAPI is tried, but fails.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: openssh-server 1:5.5p1-4ubuntu4
ProcVersionSignature: Ubuntu 2.6.35-22.35-server 2.6.35.4
Uname: Linux 2.6.35-22-server x86_64
Architecture: amd64
Date: Mon Nov 15 10:13:10 2010
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: openssh

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug maverick

-- 
ssh does not authenticate against kerberos
https://bugs.launchpad.net/bugs/675448
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list