Je rencontre le problème suivant: j'essaie de me connecter à partir d'un client VM à un serveur VM à l'aide de SSH avec l'authentification Kerberos, mais SSH me demande toujours un mot de passe. Bien évidemment, j'ai modifié le fichier /etc/ssh/sshd_config
, côté serveur, pour permettre: GSSAPIAuthentication yes
et GSSAPICleanupCredentials yes
. Sur la machine client, j'ai fait la même chose dans le fichier /etc/ssh/ssh_config
. À propos de Kerberos: j'ai ajouté un principal utilisant kadmin.local, appelé Host/[email protected]
où "serveur" est le nom d'hôte de la machine serveur et SERVER.COM, le nom du domaine. Une fois ce principe créé pour le service SSH, j’ai utilisé le ktadd -k command
pour ajouter le fichier de clés (pour que tout soit clair, le serveur SSH et le serveur Kerberos se trouvent sur le même ordinateur) situé à /etc/krb5.keytab
. La sortie de Sudo klist -ke /etc/krb5.keytab
est
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 Host/[email protected] (aes256-cts-hmac-sha1-96)
1 Host/[email protected] (aes128-cts-hmac-sha1-96)
1 Host/[email protected] (aes256-cts-hmac-sha1-96)
1 Host/[email protected] (aes128-cts-hmac-sha1-96)
1 Host/[email protected] (aes256-cts-hmac-sha1-96)
1 Host/[email protected] (aes128-cts-hmac-sha1-96)
1 [email protected] (aes256-cts-hmac-sha1-96)
1 [email protected] (aes128-cts-hmac-sha1-96)
1 Host/[email protected] (aes256-cts-hmac-sha1-96)
1 Host/[email protected] (aes128-cts-hmac-sha1-96)
Donc, la création de keytab était OK. Eh bien, sur la machine du serveur, j’ai également ajouté un utilisateur nommé michele (même dans la liste ci-dessus et ajouté en tant que principal évidemment) et la même chose a été créée sur la machine cliente. J'ai tapé la commande ssh en mode débogage Sudo /usr/sbin/sshd -p 9001 -D -dd
à la fois sur le client et sur le serveur et j’obtiens ce qui suit:
1) Pour le côté serveur:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 370
debug2: parse_server_config: config /etc/ssh/sshd_config len 370
debug1: sshd version OpenSSH_7.5, OpenSSL 1.0.2g 1 Mar 2016
debug1: private Host key #0: ssh-rsa SHA256:Uu0sgKAMRqoKGBxZ+pLywmfCH8Fby+3p/rgJ5TSn45w
debug1: private Host key #1: ecdsa-sha2-nistp256 SHA256:ycCOVyRMzFst+8uwleIs1VtvhsoN+3GZE/Tjj7i/MlA
debug1: private Host key #2: ssh-ed25519 SHA256:I1PpnUol1xHFKTiM+yTGN0C3h6PSjgo34VjkFtUH6Uk
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='9001'
debug1: rexec_argv[3]='-D'
debug1: rexec_argv[4]='-dd'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 9001 on 0.0.0.0.
Server listening on 0.0.0.0 port 9001.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 9001 on ::.
Server listening on :: port 9001.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.56.5 port 60904 on 192.168.56.4 port 9001
debug1: Client protocol version 2.0; client software version OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: match: OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: Enabling compatibility mode for protocol 2.0
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 4541
debug1: permanently_set_uid: 122/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: Host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,[email protected] [preauth]
debug2: compression stoc: none,[email protected] [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: Host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,[email protected],zlib [preauth]
debug2: compression stoc: none,[email protected],zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: Host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug2: monitor_read: 6 used once, disabling now
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user michele service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug2: parse_server_config: config reprocess config len 370
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for michele [preauth]
debug1: PAM: initializing for "michele"
debug1: PAM: setting PAM_RHOST to "192.168.56.5"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug2: monitor_read: 4 used once, disabling now
debug2: input_userauth_request: try method none [preauth]
debug1: userauth-request for user michele service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug1: PAM: password authentication accepted for michele
debug1: do_pam_account: called
Accepted password for michele from 192.168.56.5 port 60904 ssh2
debug1: monitor_child_preauth: michele has been authenticated by privileged process
debug1: monitor_read_log: child log fd closed
debug1: temporarily_use_uid: 1004/1004 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: PAM: establishing credentials
User child is on pid 4618
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1004/1004
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: ssh_packet_set_postauth: called
debug1: Entering interactive session for SSH2.
debug2: fd 6 setting O_NONBLOCK
debug2: fd 8 setting O_NONBLOCK
debug1: server_init_dispatch
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email protected] want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug2: session_new: allocate (allocated 0 max 10)
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug2: Setting env 0: LANG=it_IT.UTF-8
debug1: server_input_channel_req: channel 0 request Shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req Shell
Starting session: Shell on pts/1 for michele from 192.168.56.5 port 60904 id 0
debug2: fd 3 setting TCP_NODELAY
debug1: Setting controlling tty using TIOCSCTTY.
debug2: channel 0: rfd 11 isatty
debug2: fd 11 setting O_NONBLOCK
et pour le côté client:
~$ ssh -p 9001 -vv [email protected]
OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "192.168.56.4" port 9001
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.56.4 [192.168.56.4] port 9001.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/michele/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
debug1: match: OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.56.4:9001 as 'michele'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: Host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: Host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: Host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server Host key: ecdsa-sha2-nistp256 SHA256:ycCOVyRMzFst+8uwleIs1VtvhsoN+3GZE/Tjj7i/MlA
debug1: checking without port identifier
debug1: Host '192.168.56.4' is known and matches the ECDSA Host key.
debug1: Found key in /home/michele/.ssh/known_hosts:1
debug1: found matching key w/out port
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied
debug2: key: /home/michele/.ssh/id_rsa ((nil))
debug2: key: /home/michele/.ssh/id_dsa ((nil))
debug2: key: /home/michele/.ssh/id_ecdsa ((nil))
debug2: key: /home/michele/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1002)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1002)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /home/michele/.ssh/id_rsa
debug1: Trying private key: /home/michele/.ssh/id_dsa
debug1: Trying private key: /home/michele/.ssh/id_ecdsa
debug1: Trying private key: /home/michele/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]'s password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 192.168.56.4 ([192.168.56.4]:9001).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = it_IT.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request Shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: Shell request accepted on channel 0
Welcome to Ubuntu 17.10 (GNU/Linux 4.13.0-39-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 pacchetti possono essere aggiornati.
0 sono aggiornamenti di sicurezza.
Failed to connect to http://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
Last login: Sat May 5 12:45:11 2018 from 192.168.56.5
Environment:
LANG=it_IT.UTF-8
USER=michele
LOGNAME=michele
HOME=/home/michele
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
MAIL=/var/mail/michele
Shell=/bin/bash
SSH_CLIENT=192.168.56.5 60904 9001
SSH_CONNECTION=192.168.56.5 60904 192.168.56.4 9001
SSH_TTY=/dev/pts/1
TERM=xterm-256color
XDG_SESSION_ID=39
XDG_RUNTIME_DIR=/run/user/1004
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1004/bus
Du côté client, il semble qu'il y ait une défaillance de GSSAPI concernant les informations d'identification. Je voudrais ssh sur mon serveur sans taper le mot de passe. Pouvez-vous m'aider s'il vous plaît? Thansk!
Le message d'erreur indique que vous ne disposez pas d'un TGT ("Ticket Granting Ticket") valide pour l'utilisateur avec lequel vous essayez de vous connecter. Vous devez d'abord lancer "kinit". Cela tentera d’obtenir un TGT du serveur Kerberos et de le placer dans le cache du ticket (/tmp/krb5cc_1002
dans votre cas).
Vous ne devriez pas faire cela en utilisant Sudo, car cela créera le cache du ticket avec les mauvaises autorisations. Si vous l'avez fait avec Sudo, vous devez supprimer le cache du ticket avec les mauvaises autorisations (Sudo rm /tmp/krb5cc_1002
) et essayer de réexécuter kinit
en tant qu'utilisateur normal.
Quelque chose qui n’est pas directement lié à ce problème mais qui mérite d’être mentionné: vous n’avez pas besoin d’ajouter des utilisateurs à /etc/krb5.keytab
, comme vous semblez avoir essayé en fonction de votre sortie klist -ke
. Ce fichier est destiné à l'authentification hôte/service uniquement. Les utilisateurs doivent uniquement être ajoutés au serveur Kerberos (KDC).