OpenSSH, Kerberos and RedHat

From: Richard Jones (freebsd_at_jonze.com)
Date: 06/30/05

  • Next message: Valerio daelli: "Dual Fibre Channel Host Adapter" 
    Date: Thu, 30 Jun 2005 12:03:56 +0100
To: freebsd-questions@freebsd.org

    Hi,

    I'm trying to get OpenSSH with Kerberos5/GSSAPI authentication up and
    running in an heterogenous environment, but having problems.

    I'm running a vanilla FreeBSD-5.4p1 box as the KDC. I have another
    FreeBSD-5.4 box, and a RedHat ES3 box running as a test client/server.

    kinit works fine on both boxes. PuTTY patched with Kerberos support
    works fine as a client to both boxes (and obviously has no problems with
    the KDC). Each box can negociate a login to itself However neither can
    talk to the other.

    I first recompiled the stock RedHat OpenSSH with the "gss" tag change to
    allow it to compile against GSSAPI. However this did not work, I
    believe, as this was an older package patched to provide gssapi, and not
    the newer gssapi-with-mic.

    This did not work.

    So I tried a more recent RPM: openssh-3.9p1-8.0.2.src.rpm compiled with
    the tag change to use gssapi-with-mic.

    Server:
    Connection from 10.1.0.112 port 54409
    debug1: Client protocol version 2.0; client software version OpenSSH
    57:41 redhat sshd[844]: debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-1.99-OpenSSH_3.9p1
    debug1: Received some client credentials
    debug1: temporarily_use_uid: 504/504 (e=0/0)
    debug1: trying public key file /home/richard/.ssh/authorized_keys
    debug1: restore_uid: 0/0
    debug1: temporarily_use_uid: 504/504 (e=0/0)
    debug1: trying public key file /home/richard/.ssh/authorized_keys2
    debug1: restore_uid: 0/0
    debug1: do_cleanup

    Client:
    OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to redhat.digitalrum.net [10.1.0.83] port 23.
    debug1: Connection established.
    debug1: identity file /usr/local/home/richard/.ssh/id_rsa type 1
    debug1: identity file /usr/local/home/richard/.ssh/id_dsa type -1
    debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
    debug1: match: OpenSSH_3.9p1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'redhat.digitalrum.net' is known and matches the DSA host key.
    debug1: Found key in /usr/local/home/richard/.ssh/known_hosts:79
    debug1: ssh_dss_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
    debug1: Next authentication method: gssapi-with-mic
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-with-mic,keyboard-interactive).

    Can anyone help? I thought it may be a Kerberos flavour mismatch; RedHat
    is compiled against MIT, and FreeBSD against Heimdal. I tried
    recompiling FreeBSD's openssh-portable against MIT Kerberos, but it
    failed to build with a slew of GSSAPI errors.

    Regards,

    Richard 

    -- 
Richard Jones
MSN: msn.co.uk@jonze.com
Y!M: rwkjones
http://www.jonze.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Valerio daelli: "Dual Fibre Channel Host Adapter"

    Relevant Pages

    • Re: Kerberos, external-keyx authentication, Mac OS X
      ... OpenSSH has been configured with the following options: ... PAM support: no ... debug1: Connecting to server.gov port 22. ... If you use Kerberos in the ...
      (comp.security.ssh)
    • ssh - connection closed by remote host
      ... debug1: Authentication succeeded. ... debug1: channel 0: new ... think it is kerberos or ldap that's the problem (mostly because the ...
      (Fedora)
    • connection closed by remote host
      ... debug1: Authentication succeeded. ... debug1: channel 0: new ... think it is kerberos or ldap that's the problem (mostly because the ...
      (SSH)
    • OpenSSH 3.51p1 X11 forwarding problem a new time
      ... Running OpenSSH 3.51p1 server and client on solaris 8. ... I have no account on the server but I am authenticate by the LDAP ... X11 connection rejected because of wrong authentication. ... debug1: Rhosts Authentication disabled, ...
      (comp.security.ssh)
    • PubKey Auth from F-Secure to OpenSSH - not working
      ... I have PubKey Auth working fine from OpenSSH to F-Secure. ... debug1: kex_derive_keys ... userauth-request for user perfboy service ssh-connection ... Failed none for perfboy from <remote srv IP> port 33865 ssh2 ...
      (comp.security.ssh)