Я настроил Kerberos 5. Я также настроил ssh2. Затем я попытался пройти аутентификацию с помощью пользователя Kerberos на удаленном компьютере. Когда пользователь попытался выполнить следующую команду для подключения к удаленному хосту:
ssh -v username@hostname
- Пользователь получил билет от KDC.
- Также пользователь получил второй билет от TGS (KDC)
Но ssh2 отказался от билета, представленного пользователем. Это сообщение об ошибке:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Но когда я запускаю klist я могу получить билет.
Это мои конфигурационные файлы:
Я перепробовал все решения, которые нашел в Интернете на разных форумах, но ошибка не исчезла. Решение кажется простым, но я не могу найти решение.
Конфигурация на стороне сервера:
/ И т.д. / SSH / sshd_config
# Kerberos options
KerberosAuthentication yes
# GSSAPI options
GSSAPIAuthentication yes
Конфигурация на стороне клиента:
/ И т.д. / SSH / ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Вывод ssh
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to service.domain1.com [192.168.100.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 1b:02:94:ac:a8:a1:ef:75:1e:8a:de:92:fa:68:f6:12
debug1: Host 'service.domain1.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
и я получаю также билет
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cino@DOMAIN1.COM
Valid starting Expires Service principal
06/16/2017 18:10:12 06/17/2017 04:10:12 krbtgt/DOMAIN1.COM@DOMAIN1.COM
renew until 06/17/2017 18:10:10
06/16/2017 18:13:53 06/17/2017 04:10:12 host/service.domain1.com@DOMAIN1.COM
renew until 06/17/2017 18:10:10
Вывод KRB5_TRACE=/dev/stderr ssh cino@service.domain1.com
[3245] 1497647877.815: Convert service host (service with host as instance) on h ost service.domain1.com to principal
[3245] 1497647877.1505: Remote host after forward canonicalization: service.doma in1.com
[3245] 1497647877.3495: Remote host after reverse DNS processing: service.domain 1.com
[3245] 1497647877.4603: Got service principal host/service.domain1.com@DOMAIN1.C OM
[3245] 1497647877.6417: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wit h client principal cino@DOMAIN1.COM for server principal host/service.domain1.co m@DOMAIN1.COM
[3245] 1497647877.7386: Getting credentials cino@DOMAIN1.COM -> host/service.dom ain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.8081: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@ DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.9362: Creating authenticator for cino@DOMAIN1.COM -> host/serv ice.domain1.com@DOMAIN1.COM, seqnum 453361358, subkey aes256-cts/0C76, session k ey aes256-cts/12F8
[3245] 1497647877.12213: Convert service host (service with host as instance) on host service.domain1.com to principal
[3245] 1497647877.13206: Remote host after forward canonicalization: service.dom ain1.com
[3245] 1497647877.13734: Remote host after reverse DNS processing: service.domai n1.com
[3245] 1497647877.14470: Got service principal host/service.domain1.com@DOMAIN1. COM
[3245] 1497647877.15943: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi th client principal cino@DOMAIN1.COM for server principal host/service.domain1.c om@DOMAIN1.COM
[3245] 1497647877.17024: Getting credentials cino@DOMAIN1.COM -> host/service.do main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.18005: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.18894: Creating authenticator for cino@DOMAIN1.COM -> host/ser vice.domain1.com@DOMAIN1.COM, seqnum 939649315, subkey aes256-cts/856B, session key aes256-cts/12F8
[3245] 1497647877.21531: Convert service host (service with host as instance) on host service.domain1.com to principal
[3245] 1497647877.22356: Remote host after forward canonicalization: service.dom ain1.com
[3245] 1497647877.22837: Remote host after reverse DNS processing: service.domai n1.com
[3245] 1497647877.23554: Got service principal host/service.domain1.com@DOMAIN1. COM
[3245] 1497647877.24732: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi th client principal cino@DOMAIN1.COM for server principal host/service.domain1.c om@DOMAIN1.COM
[3245] 1497647877.25873: Getting credentials cino@DOMAIN1.COM -> host/service.do main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.26716: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.27580: Creating authenticator for cino@DOMAIN1.COM -> host/ser vice.domain1.com@DOMAIN1.COM, seqnum 659542849, subkey aes256-cts/B1BE, session key aes256-cts/12F8
[3245] 1497647877.30655: Convert service host (service with host as instance) on host service.domain1.com to principal
[3245] 1497647877.31257: Remote host after forward canonicalization: service.dom ain1.com
[3245] 1497647877.32269: Remote host after reverse DNS processing: service.domai n1.com
[3245] 1497647877.33059: Got service principal host/service.domain1.com@DOMAIN1. COM
[3245] 1497647877.34998: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi th client principal cino@DOMAIN1.COM for server principal host/service.domain1.c om@DOMAIN1.COM
[3245] 1497647877.36096: Getting credentials cino@DOMAIN1.COM -> host/service.do main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.37374: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.38330: Getting credentials cino@DOMAIN1.COM -> host/service.do main1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.39290: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.40250: Creating authenticator for cino@DOMAIN1.COM -> host/ser vice.domain1.com@DOMAIN1.COM, seqnum 153099589, subkey aes256-cts/0A6F, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~# KRB5_TRACE=/dev/stderr ssh cino@service.domain1.com
[3246] 1497648013.175041: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.176195: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.177479: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.178534: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.180581: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.181450: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.182644: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.183646: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 129967800, subkey aes256-cts/9DD3, session key aes256-cts/12F8
[3246] 1497648013.186798: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.187755: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.188688: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.189538: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.191398: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.192413: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.193213: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.193902: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 677410347, subkey aes256-cts/68E8, session key aes256-cts/12F8
[3246] 1497648013.205078: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.205925: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.206798: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.207563: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.209470: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.210417: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.211581: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.212439: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 861925756, subkey aes256-cts/98D2, session key aes256-cts/12F8
[3246] 1497648013.215834: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.216843: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.217668: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.218556: Got service principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.220170: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3246] 1497648013.221222: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.223726: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.225599: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.226620: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.227622: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 863206980, subkey aes256-cts/C999, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~#
root@serveur:~# KRB5_TRACE=/dev/stderr ssh cino@service.domain1.com
[3247] 1497648035.21901: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.23067: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.23959: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.24877: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.26508: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.27221: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.27912: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.29305: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 606448502, subkey aes256-cts/6E0C, session key aes256-cts/12F8
[3247] 1497648035.31816: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.32380: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.33263: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.34218: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.35855: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.36965: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.37922: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.38553: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 516620040, subkey aes256-cts/E0E2, session key aes256-cts/12F8
[3247] 1497648035.41143: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.41700: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.42167: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.42924: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.44068: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.45042: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.45684: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.46516: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 486648660, subkey aes256-cts/8D69, session key aes256-cts/12F8
[3247] 1497648035.49000: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.49568: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.50283: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.51067: Got service principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.53637: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal cino@DOMAIN1.COM for server principal host/service.domain1.com@DOMAIN1.COM
[3247] 1497648035.54829: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.55927: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.57525: Getting credentials cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.58632: Retrieving cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.59519: Creating authenticator for cino@DOMAIN1.COM -> host/service.domain1.com@DOMAIN1.COM, seqnum 844101250, subkey aes256-cts/A673, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).