Kerberos SSH Login

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












I'm trying to setup a



  • ssh server

  • ssh client

  • kerberos server

Now, on both the SSH server and client I can poll a ticket by calling, kinit -p root/admin.



In SSH/SSHD config I set



  • GSSAPIAuthentication yes

  • GSSAPICleanupCredentials yes

  • GSSAPIDelegateCredentials yes

Now when I try from client to ssh to the ssh-server I'm still prompted about password, why is that?



$ ssh -vv sshserver
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:71jU1n0c5M2uGF1RA37xc5ktz7CVmq2lqztrM+0ApX8
debug1: Host 'sshserver.kea.dk' is known and matches the ECDSA host key.
debug1: Found key in /home/ghost/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/ghost/.ssh/id_rsa (0x564e5774b270)
debug2: key: /home/ghost/.ssh/id_dsa ((nil))
debug2: key: /home/ghost/.ssh/id_ecdsa ((nil))
debug2: key: /home/ghost/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ghost/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp 
SHA256:V731Bh8CcX3x80tGJcwqsSBOo0wZbq2iIFc+ZHnyadg
debug1: Trying private key: /home/ghost/.ssh/id_dsa
debug1: Trying private key: /home/ghost/.ssh/id_ecdsa
debug1: Trying private key: /home/ghost/.ssh/id_ed25519
 debug2: we did not send a packet, disable method
debug1: Next authentication method: password



networking server ssh kerberos




share|improve this question






















  • Did you add a service principal for sshd to your kerberos database?
    – Sebastian Stark
    May 22 at 7:29











  • I think I did when I made the key for the ssh server? When doing listprincs it shows ssh/mykerberos.kea.dk@MYKERBEROS.KEA.DK
    – MrSykkox
    May 22 at 9:01











  • Are you using the exact same hostname for the ssh command line like shown in listprincs? That would have to be "ssh mykerberos.kea.dk"
    – Sebastian Stark
    May 27 at 12:35














up vote
0
down vote

favorite












I'm trying to setup a



  • ssh server

  • ssh client

  • kerberos server

Now, on both the SSH server and client I can poll a ticket by calling, kinit -p root/admin.



In SSH/SSHD config I set



  • GSSAPIAuthentication yes

  • GSSAPICleanupCredentials yes

  • GSSAPIDelegateCredentials yes

Now when I try from client to ssh to the ssh-server I'm still prompted about password, why is that?



$ ssh -vv sshserver
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:71jU1n0c5M2uGF1RA37xc5ktz7CVmq2lqztrM+0ApX8
debug1: Host 'sshserver.kea.dk' is known and matches the ECDSA host key.
debug1: Found key in /home/ghost/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/ghost/.ssh/id_rsa (0x564e5774b270)
debug2: key: /home/ghost/.ssh/id_dsa ((nil))
debug2: key: /home/ghost/.ssh/id_ecdsa ((nil))
debug2: key: /home/ghost/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ghost/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp 
SHA256:V731Bh8CcX3x80tGJcwqsSBOo0wZbq2iIFc+ZHnyadg
debug1: Trying private key: /home/ghost/.ssh/id_dsa
debug1: Trying private key: /home/ghost/.ssh/id_ecdsa
debug1: Trying private key: /home/ghost/.ssh/id_ed25519
 debug2: we did not send a packet, disable method
debug1: Next authentication method: password



networking server ssh kerberos




share|improve this question






















  • Did you add a service principal for sshd to your kerberos database?
    – Sebastian Stark
    May 22 at 7:29











  • I think I did when I made the key for the ssh server? When doing listprincs it shows ssh/mykerberos.kea.dk@MYKERBEROS.KEA.DK
    – MrSykkox
    May 22 at 9:01











  • Are you using the exact same hostname for the ssh command line like shown in listprincs? That would have to be "ssh mykerberos.kea.dk"
    – Sebastian Stark
    May 27 at 12:35












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm trying to setup a



  • ssh server

  • ssh client

  • kerberos server

Now, on both the SSH server and client I can poll a ticket by calling, kinit -p root/admin.



In SSH/SSHD config I set



  • GSSAPIAuthentication yes

  • GSSAPICleanupCredentials yes

  • GSSAPIDelegateCredentials yes

Now when I try from client to ssh to the ssh-server I'm still prompted about password, why is that?



$ ssh -vv sshserver
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:71jU1n0c5M2uGF1RA37xc5ktz7CVmq2lqztrM+0ApX8
debug1: Host 'sshserver.kea.dk' is known and matches the ECDSA host key.
debug1: Found key in /home/ghost/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/ghost/.ssh/id_rsa (0x564e5774b270)
debug2: key: /home/ghost/.ssh/id_dsa ((nil))
debug2: key: /home/ghost/.ssh/id_ecdsa ((nil))
debug2: key: /home/ghost/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ghost/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp 
SHA256:V731Bh8CcX3x80tGJcwqsSBOo0wZbq2iIFc+ZHnyadg
debug1: Trying private key: /home/ghost/.ssh/id_dsa
debug1: Trying private key: /home/ghost/.ssh/id_ecdsa
debug1: Trying private key: /home/ghost/.ssh/id_ed25519
 debug2: we did not send a packet, disable method
debug1: Next authentication method: password



networking server ssh kerberos




share|improve this question














I'm trying to setup a



  • ssh server

  • ssh client

  • kerberos server

Now, on both the SSH server and client I can poll a ticket by calling, kinit -p root/admin.



In SSH/SSHD config I set



  • GSSAPIAuthentication yes

  • GSSAPICleanupCredentials yes

  • GSSAPIDelegateCredentials yes

Now when I try from client to ssh to the ssh-server I'm still prompted about password, why is that?



$ ssh -vv sshserver
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: 
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:71jU1n0c5M2uGF1RA37xc5ktz7CVmq2lqztrM+0ApX8
debug1: Host 'sshserver.kea.dk' is known and matches the ECDSA host key.
debug1: Found key in /home/ghost/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/ghost/.ssh/id_rsa (0x564e5774b270)
debug2: key: /home/ghost/.ssh/id_dsa ((nil))
debug2: key: /home/ghost/.ssh/id_ecdsa ((nil))
debug2: key: /home/ghost/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ghost/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp 
SHA256:V731Bh8CcX3x80tGJcwqsSBOo0wZbq2iIFc+ZHnyadg
debug1: Trying private key: /home/ghost/.ssh/id_dsa
debug1: Trying private key: /home/ghost/.ssh/id_ecdsa
debug1: Trying private key: /home/ghost/.ssh/id_ed25519
 debug2: we did not send a packet, disable method
debug1: Next authentication method: password




networking server ssh kerberos





share|improve this question













share|improve this question




share|improve this question








edited May 21 at 0:53









ubashu

2,23221736




2,23221736










asked May 20 at 20:56









MrSykkox

1012




1012











  • Did you add a service principal for sshd to your kerberos database?
    – Sebastian Stark
    May 22 at 7:29











  • I think I did when I made the key for the ssh server? When doing listprincs it shows ssh/mykerberos.kea.dk@MYKERBEROS.KEA.DK
    – MrSykkox
    May 22 at 9:01











  • Are you using the exact same hostname for the ssh command line like shown in listprincs? That would have to be "ssh mykerberos.kea.dk"
    – Sebastian Stark
    May 27 at 12:35
















  • Did you add a service principal for sshd to your kerberos database?
    – Sebastian Stark
    May 22 at 7:29











  • I think I did when I made the key for the ssh server? When doing listprincs it shows ssh/mykerberos.kea.dk@MYKERBEROS.KEA.DK
    – MrSykkox
    May 22 at 9:01











  • Are you using the exact same hostname for the ssh command line like shown in listprincs? That would have to be "ssh mykerberos.kea.dk"
    – Sebastian Stark
    May 27 at 12:35















Did you add a service principal for sshd to your kerberos database?
– Sebastian Stark
May 22 at 7:29





Did you add a service principal for sshd to your kerberos database?
– Sebastian Stark
May 22 at 7:29













I think I did when I made the key for the ssh server? When doing listprincs it shows ssh/mykerberos.kea.dk@MYKERBEROS.KEA.DK
– MrSykkox
May 22 at 9:01





I think I did when I made the key for the ssh server? When doing listprincs it shows ssh/mykerberos.kea.dk@MYKERBEROS.KEA.DK
– MrSykkox
May 22 at 9:01













Are you using the exact same hostname for the ssh command line like shown in listprincs? That would have to be "ssh mykerberos.kea.dk"
– Sebastian Stark
May 27 at 12:35




Are you using the exact same hostname for the ssh command line like shown in listprincs? That would have to be "ssh mykerberos.kea.dk"
– Sebastian Stark
May 27 at 12:35















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1038484%2fkerberos-ssh-login%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1038484%2fkerberos-ssh-login%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Running the scala interactive shell from the command line

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite 1 I just installed scala on Ubuntu scala -version Scala code runner version 2.11.6 -- Copyright 2002-2013, LAMP/EPFL but when I try to run the scala command for an interactive shell session I have the following error: Exception in thread "main" java.lang.NoClassDefFoundError: javax/script/Compilable at scala.tools.nsc.interpreter.ILoop.createInterpreter(ILoop.scala:126) at scala.tools.nsc.interpreter.ILoop$$anonfun$process$1.apply$mcZ$sp(ILoop.scala:908) at scala.tools.nsc.interpreter.ILoop$$anonfun$process$1.apply(ILoop.scala:906) at scala.tools.nsc.interpreter.ILoop$$anonfun$process$1.apply(ILoop.scala:906) at scala.reflect.internal.util.ScalaClassLoader$.savingContextLoader(ScalaClassLoader.scala:97) at scala.tools.nsc.interpreter.ILoop.process(ILoop.scala:906) at scala.tools.nsc.MainGenericRunner.runTarget$1(MainGenericRunner.scala:74) at scala.tools.nsc.MainGenericRunner.run$1(MainGenericRu...
Read more

Unable to execute new pre-installation script (/var/lib/dpkg/tmp.ci/preinst)

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I try to install a .deb file in my vagrant box that use generic/ubuntu1604 image but i got the following error: Reading package lists... Done Building dependency tree Reading state information... Done Reading state information... Done A queue based service for watching directories for files to process as per its configuration. Do you want to install the software package? [y/N]:y (Reading database ... 108439 files and directories currently installed.) Preparing to unpack wtbuild.deb ... dpkg (subprocess): unable to execute new pre-installation script (/var/lib/dpkg/tmp.ci/preinst): No such file or directory dpkg: error processing archive wtbuild.deb (--install): subprocess new pre-installation script returned error exit status 2 Errors were encountered while processing: wtbuild.deb error That only happens with that image. If i try to install the same .deb file in my linux machine ( xenial ) or in another vagrant...
Read more

Do not install recommended packages of dependencies

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Recommended packages of a package and recommended packages of it's dependencies are installed by default when installing a package (tested on Ubuntu 18.04 Beta). How to install recommended packages of a package, but skip recommended packages of it's dependencies by a single apt command? apt software-installation dependencies share | improve this question asked Apr 24 at 6:37 linuxbuild 191 6 2 The --(no-)install-recommends,suggests flags are set for the entire apt operation, so your best bet would be (a) either installing without recommends and then installing the recommends, or (b) parsing out the recommends and installing them explicitl. Both are covered in ... – muru Apr 24 at 6:49 3 Possible duplicate of How to --install-suggests on an already installed package? – muru Apr 24 at 6:49 2 (It m...
Read more