Problem with Tiger Kerberos Client and Linux Kerberos Server

Question

Level 1

5 points

Problem with Tiger Kerberos Client and Linux Kerberos Server

Hi

I have spent much of the day trying to get ssh on my Tiger machine authenticating with a Linux server using Kerberos. Our Linux client machines work fine. I have tested two Macs with different Mac OS X revisions and get the same problem. Kerberos fails and I get asked for a password.

debug2: key: /Users/gluck/.ssh/identity (0x0)
debug2: key: /Users/gluck/.ssh/id_rsa (0x0)
debug2: key: /Users/gluck/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod isenabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod isenabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/gluck/.ssh/identity
debug3: no such identity: /Users/gluck/.ssh/identity
debug1: Trying private key: /Users/gluck/.ssh/id_rsa
debug3: no such identity: /Users/gluck/.ssh/id_rsa
debug1: Trying private key: /Users/gluck/.ssh/id_dsa
debug3: no such identity: /Users/gluck/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod isenabled password
debug1: Next authentication method: password
gluck@vmware.wotif.com's password:

The client config is in /Library/Preferences/edu.mit.Kerberos as follows:

[domain_realm]
. = WOTIF.COM
.local = WOTIF.COM
.wotif.com = WOTIF.COM
wotif.com = WOTIF.COM

[libdefaults]
default_realm = WOTIF.COM
dns_fallback = no

[realms]
WOTIF.COM = {
admin_server = vmware.wotif.com:749
kdc = vmware.wotif.com:88
}

[v4 domain_realm]
. = WOTIF.COM
.local = WOTIF.COM
.wotif.com = WOTIF.COM
wotif.com = WOTIF.COM

On the kerberos server we get the following:

debug1: userauth-request for user gluck service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 1
Postponed gssapi-with-mic for gluck from 192.168.0.101 port 52505 ssh2
debug1: Unspecified GSS failure. Minor code may provide more information
Wrong principal in request

debug1: Got no client credentials

One thing I am suspicious on. My mac lists its hostname as ending in .local, but when I type domainname it comes back blank. I wonder is this screwing with Kerberos. I have added .local to the domain_realm.

I tried setting the hostname using the sudo hostname command. It sets but still does not work.

Does anyone have any ideas?

PowerMac G5, Mac OS X (10.4.8)

Posted on Feb 15, 2007 10:08 PM

Reply

Answer 1

Feb 16, 2007 5:10 AM in response to Gregory Luck

afair ssh client on os x is not capable of acquiring a tgt. It should work if you get a tgt with kinit first and than use ssh.

-Ralph

Reply

Answer 2

Gregory Luck Author

Level 1

5 points

Feb 18, 2007 6:07 PM in response to slowfranklin

I did not make this clear, but the attempt to ssh is done after a kinit. I have tried kinit from the command line and also using the GUI. Both work as verified by the klist on command line and GUI.

So the problem is not that we don't have a ticket.

Reply

Answer 3

Feb 18, 2007 10:55 PM in response to Gregory Luck

Use ssh -vvv ... and inspect the debug output. Whats in the server logs?

-Ralph

Reply

Answer 4

Gregory Luck Author

Level 1

5 points

Feb 20, 2007 8:28 PM in response to slowfranklin

-bash2.05b gluck@gluck ~ % ssh -vvv gluck@vmware
OpenSSH_4.2p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to vmware [192.168.0.136] port 22.
debug1: Connection established.
debug1: identity file /Users/gluck/.ssh/identity type 0
debug1: identity file /Users/gluck/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /Users/gluck/.ssh/id_dsa.
debug2: key type_fromname: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key type_fromname: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/gluck/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkayal2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48Ei ANQ==
debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug2: kex parsekexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkayal2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48Ei ANQ==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-**** man-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss,null
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: none,zlib@openssh.com,zlib
debug2: kex parsekexinit: none,zlib@openssh.com,zlib
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: none,zlib@openssh.com
debug2: kex parsekexinit: none,zlib@openssh.com
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug2: dh genkey: priv key bits set: 125/256
debug2: bits set: 516/1024
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
debug3: check host_inhostfile: filename /Users/gluck/.ssh/known_hosts
debug3: check host_inhostfile: match line 26
debug3: check host_inhostfile: filename /Users/gluck/.ssh/known_hosts
debug3: check host_inhostfile: match line 26
debug1: Host 'vmware' is known and matches the RSA host key.
debug1: Found key in /Users/gluck/.ssh/known_hosts:26
debug2: bits set: 527/1024
debug1: ssh rsaverify: signature correct
debug2: kex derivekeys
debug2: set_newkeys: mode 1
debug1: SSH2 MSGNEWKEYS sent
debug1: expecting SSH2 MSGNEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2 MSGNEWKEYS received
debug1: SSH2 MSG_SERVICEREQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2 MSG_SERVICEACCEPT received
debug2: key: /Users/gluck/.ssh/id_rsa (0x0)
debug2: key: /Users/gluck/.ssh/id_dsa (0x307530)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod isenabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod isenabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/gluck/.ssh/id_rsa
debug3: no such identity: /Users/gluck/.ssh/id_rsa
debug1: Offering public key: /Users/gluck/.ssh/id_dsa
debug3: send pubkeytest
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod isenabled password
debug1: Next authentication method: password

Reply

Answer 5

Gregory Luck Author

Level 1

5 points

Feb 20, 2007 8:48 PM in response to Gregory Luck

I managed to get a machine at work going. It was on a network where host and domain name were being set by DHCP.

In my home environment that is not the case. Both are blank. My DHCP server does not set them.

Unfortunately setting a hostname and domainname on Mac is not simple.

I found out how to set the hostname in /etc/hostconfig using HOSTNAME=
Tried that and it did not work.

On the work network I also tried my machine. It did not work. I tested my account name using the other guy's mac which did work. Incidentally I provided the /Library/Preferences/edu.mit.Kerberos config.

So:
- the config is ok
- the Kerberson config is ok

At home there is something dodgy going on. We got Apache working from Firefox on Linux. We managed to get it working on Mac up to the same point where it fails in ssh.

This is all looking a bit too hard.

Reply

Answer 6

Feb 20, 2007 8:55 PM in response to Gregory Luck

Hi Gregory

To set the hostname & domain name from the terminal use:

sudo scutil --set HostName your hostname.your_domainname.yourtld

I have also found it useful to set your IP hostname/domain name in /etc/hosts as well

Richard

Mac Pro Mac OS X (10.4.8)

Reply

Answer 7

Gregory Luck Author

Level 1

5 points

Feb 21, 2007 6:39 PM in response to Community User

Thanks.

I can set the hostname and domain.

However, it does not help with the issue. I tested it on two macs.

Still a mystery.

Reply