OpenSSH + Kerberos SSO: Aucune entrée de la table des clés trouvée pour host / localhost.localdomain

SSO ne fonctionne pas avec OpenSSH – Je n'ai pas pu obtenir une authentification GSSAPIA pour fonctionner avec Kerberos. Chaque fois que je tentais de me connecter, je me demandais toujours le mot de passe.

Pendant le dépannage, j'ai commencé un débogage ici:

[foster@kvm0007 ~]$ kinit Password for foster@MONZELL.COM: [foster@kvm0007 ~]$ ssh -p222 -K foster@kerberos.monzell.com -vvv OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /home/users/foster/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to kerberos.monzell.com [192.168.15.100] port 222. debug1: Connection established. debug1: identity file /home/users/foster/.ssh/identity type -1 debug1: identity file /home/users/foster/.ssh/id_rsa type -1 debug3: Not a RSA1 key file /home/users/foster/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/users/foster/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 499/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: put_host_port: [192.168.15.100]:222 debug3: put_host_port: [kerberos.monzell.com]:222 debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug1: checking without port identifier debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'kerberos.monzell.com' is known and matches the RSA host key. debug1: Found key in /home/users/foster/.ssh/known_hosts:1 debug1: found matching key w/out port debug2: bits set: 505/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/users/foster/.ssh/identity ((nil)) debug2: key: /home/users/foster/.ssh/id_rsa ((nil)) debug2: key: /home/users/foster/.ssh/id_dsa (0x7fed559e5d30) debug3: Wrote 64 bytes for a total of 1109 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.15.100. debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Wrote 96 bytes for a total of 1205 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Wrote 96 bytes for a total of 1301 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Wrote 96 bytes for a total of 1397 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Wrote 96 bytes for a total of 1493 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/users/foster/.ssh/identity debug3: no such identity: /home/users/foster/.ssh/identity debug1: Trying private key: /home/users/foster/.ssh/id_rsa debug3: no such identity: /home/users/foster/.ssh/id_rsa debug1: Offering public key: /home/users/foster/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 528 bytes for a total of 2021 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password foster@kerberos.monzell.com's password: 

Comme vous pouvez le voir, gssapi-with-mic est envoyé, mais aucune réponse décennale.

Il s'avère qu'il s'agissait d'être envoyé au KDC:

 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-ctr hmac-md5 none debug1: kex: server->client aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user foster service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "foster" debug1: PAM: setting PAM_RHOST to "192.168.15.37" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 0 debug1: Unspecified GSS failure. Minor code may provide more information **No key table entry found for host/localhost.localdomain@MONZELL.COM** debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic debug1: attempt 2 failures 0 debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic debug1: attempt 3 failures 0 debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic debug1: attempt 4 failures 0 debug1: userauth-request for user foster service ssh-connection method publickey debug1: attempt 5 failures 0 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 502/502 (e=0/0) debug1: trying public key file /home/users/foster/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 502/502 (e=0/0) debug1: trying public key file /home/users/foster/.ssh/authorized_keys2 debug1: restore_uid: 0/0 

Certaines recherches ont indiqué qu'il pourrait y avoir un problème avec le fichier hôte, dont j'ai le suivant:

 [foster@sl6 ~]$ cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 sl6 localhost6.localdomain6 localhost6 192.168.15.100 kerberos.monzell.com kerberos 192.168.15.100 monzell.com 192.168.15.31 kvm0001.monzell.com kvm0001 

J'ai tenté d'essayer de définir le manuel du nom d'hôte sur l'hôte, sans effet.

Voici la liste des principaux au KDC:

 [root@sl6 ~]# kadmin.local Authenticating as principal rilindo/admin@MONZELL.COM with password. kadmin.local: listprincs K/M@MONZELL.COM foster@MONZELL.COM host/kerberos.monzell.com@MONZELL.COM host/kvm0007.monzell.com@MONZELL.COM joe@MONZELL.COM kadmin/admin@MONZELL.COM kadmin/changepw@MONZELL.COM kadmin/sl6@MONZELL.COM krbtgt/MONZELL.COM@MONZELL.COM monzell@MONZELL.COM rilindo/admin@MONZELL.COM rilindo@MONZELL.COM 

Kerberos fait la plupart de l'authentification. Le répertoire utilisateur réside dans OpenLDAP. Le client et le serveur exécutent Scientific Linux 6.1, le client s'exécute en tant que machine virtuelle en haut du serveur.

Je peux confirmer que Kerberos fonctionne en dehors d'OpenSSH, comme indiqué ici:

 [foster@kvm0007 ~]$ /usr/kerberos/bin/krsh -x -PN kerberos.monzell.com This rlogin session is encrypting all data transmissions. Last login: Sun Sep 25 21:18:20 from 192.168.15.37 

L'utilisateur (s) en question possède le fichier de configuration ssh suivant:

 [foster@sl6 ~]$ cat .ssh/config GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes 

Quelle direction dois-je aller de ce point?

EDIT: Je savais que j'avais oublié d'ajouter quelque chose à cette publication. Voici le krb5.conf sur le serveur:

 [root@sl6 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MONZELL.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] MONZELL.COM = { kdc = kerberos.monzell.com admin_server = kerberos.monzell.com } [domain_realm] .monzell.com = MONZELL.COM monzell.com = MONZELL.COM 

Et sur le client:

 [rilindo@kvm0007 ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MONZELL.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } MONZELL.COM = { kdc = kerberos.monzell.com admin_server = kerberos.monzell.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM monzell.com = MONZELL.COM .monzell.com = MONZELL.COM 

One Solution collect form web for “OpenSSH + Kerberos SSO: Aucune entrée de la table des clés trouvée pour host / localhost.localdomain”

Peut être un problème de nom d'hôte simple ou un problème de cartographie de domaine.
(C'est probablement le premier, mais pour l'exhaustivité, les deux sont les deux.)

Problème de nom d'hôte
hostname -f sur kerberos.monzell.com
kerberos.monzell.com retourner: kerberos.monzell.com
Ne devrait pas retourner: localhost.localdomain

Problème de cartographie du domaine
dig -t txt _kerberos.kerberos.monzell.com
dig -t txt _kerberos.monzell.com

Si vous ne souhaitez pas utiliser /etc/krb5.conf devrait retourner
<record> <ttl num> IN TXT "MONZELL.COM".

Cependant, le fichier hôte donné n'est probablement pas le cas.
/etc/krb5.conf doit contenir soit:

[Domain_realm]
.monzell.com MONZELL.COM

ou

[Domain_realm]
Kerberos.monzell.com MONZELL.COM

  • Ubuntu SSH vers Centos Server
  • SSH fonctionne sur deux servers, mais ne peut pas SSH les uns aux autres
  • Se connecte-t-elle en tant qu'user partagé une mauvaise habitude?
  • Comment sécuriser SFTP sans recréer OpenSSH?
  • Comment configurer un server public rsync et sftp
  • Vous searchz un moyen d'utiliser les keys publiques de l'équipe EC2 de façon autonome
  • Plus rapide MySQL DB tire de la machine distante dans une machine locale
  • Retraction privée de github dans le deployment du site Web package.json
  • sshd ne démarre pas au démarrage
  • ssh-keyscan à travers un bastion
  • Limiter la key SSH à SCP uniquement
  • Les astuces du serveur de linux et windows, tels que ubuntu, centos, apache, nginx, debian et des sujets de rĂ©seau.