ssh dengan kerberos: Izin ditolak (publickey, gssapi-keyex, gssapi-with-mic)


1

Saya mengkonfigurasi kerberos 5. Saya juga mengkonfigurasi ssh2. Kemudian saya mencoba mengautentikasi dengan pengguna kerberos di remote. Ketika pengguna mencoba perintah berikut untuk terhubung ke host jarak jauh:

ssh -v username@hostname
  1. Pengguna menerima tiket dari KDC.
  2. Pengguna juga menerima tiket kedua dari TGS (KDC)

Tapi ssh2 menolak tiket yang diberikan oleh pengguna. Ini adalah pesan kesalahan:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Tetapi ketika saya berlari klistsaya bisa mendapatkan tiket. Ini adalah file konfigurasi saya:

Saya mencoba semua solusi yang saya temukan di Internet di berbagai forum, tetapi kesalahan tetap ada. Solusinya tampak sederhana tetapi saya tidak tahu solusinya.

Konfigurasi sisi server:

/ etc / ssh / sshd_config

# Kerberos options
KerberosAuthentication yes

# GSSAPI options
GSSAPIAuthentication yes

Konfigurasi sisi klien:

/ etc / ssh / ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Output dari ssh

OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to service.domain1.com [192.168.100.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 1b:02:94:ac:a8:a1:ef:75:1e:8a:de:92:fa:68:f6:12
debug1: Host 'service.domain1.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

dan saya juga mendapatkan tiketnya

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cino@DOMAIN1.COM

Valid starting       Expires              Service principal
06/16/2017 18:10:12  06/17/2017 04:10:12  krbtgt/DOMAIN1.COM@DOMAIN1.COM
        renew until 06/17/2017 18:10:10

06/16/2017 18:13:53  06/17/2017 04:10:12  host/service.domain1.com@DOMAIN1.COM
        renew until 06/17/2017 18:10:10

Output dari KRB5_TRACE=/dev/stderr ssh cino@service.domain1.com

[3245] 1497647877.815: Convert service host (service with host as instance) on h                                                                                        ost service.domain1.com to principal
[3245] 1497647877.1505: Remote host after forward canonicalization: service.doma                                                                                        in1.com
[3245] 1497647877.3495: Remote host after reverse DNS processing: service.domain                                                                                        1.com
[3245] 1497647877.4603: Got service principal host/service.domain1.com@DOMAIN1.C                                                                                        OM
[3245] 1497647877.6417: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wit                                                                                        h client principal cino@DOMAIN1.COM for server principal host/service.domain1.co                                                                                        m@DOMAIN1.COM
[3245] 1497647877.7386: Getting credentials cino@DOMAIN1.COM -> host/service.dom                                                                                        ain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.8081: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@                                                                                        DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.9362: Creating authenticator for cino@DOMAIN1.COM -> host/serv                                                                                        ice.domain1.com@DOMAIN1.COM, seqnum 453361358, subkey aes256-cts/0C76, session k                                                                                        ey aes256-cts/12F8
[3245] 1497647877.12213: Convert service host (service with host as instance) on                                                                                         host service.domain1.com to principal
[3245] 1497647877.13206: Remote host after forward canonicalization: service.dom                                                                                        ain1.com
[3245] 1497647877.13734: Remote host after reverse DNS processing: service.domai                                                                                        n1.com
[3245] 1497647877.14470: Got service principal host/service.domain1.com@DOMAIN1.                                                                                        COM
[3245] 1497647877.15943: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi                                                                                        th client principal cino@DOMAIN1.COM for server principal host/service.domain1.c                                                                                        om@DOMAIN1.COM
[3245] 1497647877.17024: Getting credentials cino@DOMAIN1.COM -> host/service.do                                                                                        main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.18005: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.18894: Creating authenticator for cino@DOMAIN1.COM -> host/ser                                                                                        vice.domain1.com@DOMAIN1.COM, seqnum 939649315, subkey aes256-cts/856B, session                                                                                         key aes256-cts/12F8
[3245] 1497647877.21531: Convert service host (service with host as instance) on                                                                                         host service.domain1.com to principal
[3245] 1497647877.22356: Remote host after forward canonicalization: service.dom                                                                                        ain1.com
[3245] 1497647877.22837: Remote host after reverse DNS processing: service.domai                                                                                        n1.com
[3245] 1497647877.23554: Got service principal host/service.domain1.com@DOMAIN1.                                                                                        COM
[3245] 1497647877.24732: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi                                                                                        th client principal cino@DOMAIN1.COM for server principal host/service.domain1.c                                                                                        om@DOMAIN1.COM
[3245] 1497647877.25873: Getting credentials cino@DOMAIN1.COM -> host/service.do                                                                                        main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.26716: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.27580: Creating authenticator for cino@DOMAIN1.COM -> host/ser                                                                                        vice.domain1.com@DOMAIN1.COM, seqnum 659542849, subkey aes256-cts/B1BE, session                                                                                         key aes256-cts/12F8
[3245] 1497647877.30655: Convert service host (service with host as instance) on                                                                                         host service.domain1.com to principal
[3245] 1497647877.31257: Remote host after forward canonicalization: service.dom                                                                                        ain1.com
[3245] 1497647877.32269: Remote host after reverse DNS processing: service.domai                                                                                        n1.com
[3245] 1497647877.33059: Got service principal host/service.domain1.com@DOMAIN1.                                                                                        COM
[3245] 1497647877.34998: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi                                                                                        th client principal cino@DOMAIN1.COM for server principal host/service.domain1.c                                                                                        om@DOMAIN1.COM
[3245] 1497647877.36096: Getting credentials cino@DOMAIN1.COM -> host/service.do                                                                                        main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.37374: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.38330: Getting credentials cino@DOMAIN1.COM -> host/service.do                                                                                        main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.39290: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.40250: Creating authenticator for cino@DOMAIN1.COM -> host/ser                                                                                        vice.domain1.com@DOMAIN1.COM, seqnum 153099589, subkey aes256-cts/0A6F, session                                                                                         key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~# KRB5_TRACE=/dev/stderr ssh cino@service.domain1.com
[3246] 1497648013.175041: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.176195: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.177479: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.178534: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.180581: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.181450: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.182644: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.183646: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 129967800, subkey aes256-cts/9DD3, session key aes256-cts/12F8
[3246] 1497648013.186798: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.187755: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.188688: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.189538: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.191398: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.192413: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.193213: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.193902: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 677410347, subkey aes256-cts/68E8, session key aes256-cts/12F8
[3246] 1497648013.205078: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.205925: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.206798: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.207563: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.209470: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.210417: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.211581: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.212439: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 861925756, subkey aes256-cts/98D2, session key aes256-cts/12F8
[3246] 1497648013.215834: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.216843: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.217668: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.218556: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.220170: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.221222: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.223726: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.225599: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.226620: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.227622: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 863206980, subkey aes256-cts/C999, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~#
root@serveur:~# KRB5_TRACE=/dev/stderr ssh cino@service.domain1.com
[3247] 1497648035.21901: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.23067: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.23959: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.24877: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.26508: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.27221: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.27912: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.29305: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 606448502, subkey aes256-cts/6E0C, session key aes256-cts/12F8
[3247] 1497648035.31816: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.32380: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.33263: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.34218: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.35855: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.36965: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.37922: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.38553: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 516620040, subkey aes256-cts/E0E2, session key aes256-cts/12F8
[3247] 1497648035.41143: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.41700: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.42167: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.42924: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.44068: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.45042: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.45684: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.46516: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 486648660, subkey aes256-cts/8D69, session key aes256-cts/12F8
[3247] 1497648035.49000: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.49568: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.50283: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.51067: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.53637: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.54829: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.55927: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.57525: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.58632: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.59519: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 844101250, subkey aes256-cts/A673, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Silakan kirim output dari KRB5_TRACE=/dev/stderr ssh ....dari klien dan klist -kdi server.
grawity

maaf tapi saya tidak mengerti pertanyaan Anda..bisakah Anda menjelaskannya lebih lanjut?
user739435

Saya punya jawaban untuk pertanyaan Anda
user739435

Bagaimana Anda mengatasinya?
Balaji Boggaram Ramanarayan
Dengan menggunakan situs kami, Anda mengakui telah membaca dan memahami Kebijakan Cookie dan Kebijakan Privasi kami.
Licensed under cc by-sa 3.0 with attribution required.