[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
Archivio: Marzo 2005 ml@sikurezza.org Soggetto: [ml] ssh+kerberos Mittente: xpicio Data: Tue, 15 Mar 2005 16:49:56 +0100 (CET)
Ho installato su un PC kerberos [superman] (che funziona mi autentica gli utenti, funziona anche mod_auth_kerb con apache) e ho qualche problema con l'autenticazione del server ssh. La distro di questo PC è una rh 9, ma il server ssh (3.6.1p2) l'ho preso da un fc1 e ricompilato con l'estensione gssapi. Ho configurato su superman il principal per il servizio ssh "host/superman.xbedroom.org@xxxxxxxxxxxx" e ho messo le chiavi nel file /etc/krb5.keytab sempre di superman. Il problema è il seguente: se avvio una sessione ssh da un host client [spidey] mi chiede la password e non mi autentica in automatico. Invece se da superman avvio una sessione ssh verso se stesso mi fa entrare senza password. Analizzando i log di ssh ho notato una piccola differenza tra i due diversi tentativi: log spidey->superman [root@superman root]# /usr/sbin/sshd -d debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 192.168.1.1. Server listening on 192.168.1.1 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.3 port 32911 debug1: Client protocol version 2.0; client software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: GSSAPI mechanism Kerberos (gss-group1-sha1-toWM5Slw5Ew8Mqkay +al2g==) supported debug1: GSSAPI mechanism Kerberos (gss-group1-sha1-Se3H81ismmOC3OE +FwYCiQ==) supported debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user xpicio service ssh-connection method none debug1: attempt 0 failures 0 debug1: Starting up PAM with username "xpicio" debug1: PAM setting rhost to "spidey.xbedroom.org" Failed none for xpicio from 192.168.1.3 port 32911 ssh2 qui mi chiede la Password log superman->superman [root@superman root]# /usr/sbin/sshd -d debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 192.168.1.1. Server listening on 192.168.1.1 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.1 port 1047 debug1: Client protocol version 2.0; client software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: GSSAPI mechanism Kerberos (gss-group1-sha1-toWM5Slw5Ew8Mqkay +al2g==) supported debug1: GSSAPI mechanism Kerberos (gss-group1-sha1-Se3H81ismmOC3OE +FwYCiQ==) supported debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: using GSSAPI mechanism Kerberos (gss-group1-sha1- toWM5Slw5Ew8Mqkay+al2g==) debug1: Wait SSH2_MSG_GSSAPI_INIT debug1: Got no client credentials debug1: gss_complete debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user xpicio service ssh-connection method none debug1: attempt 0 failures 0 debug1: Starting up PAM with username "xpicio" debug1: PAM setting rhost to "superman.xbedroom.org" Failed none for xpicio from 192.168.1.1 port 1047 ssh2 debug1: userauth-request for user xpicio service ssh-connection method external-keyx debug1: attempt 1 failures 1 Authorized to xpicio, krb5 principal xpicio@xxxxxxxxxxxx (krb5_kuserok) Accepted gssapi for xpicio from 192.168.1.1 port 1047 ssh2 debug1: monitor_child_preauth: xpicio has been authenticated by privileged process Accepted external-keyx for xpicio from 192.168.1.1 port 1047 ssh2 La sostanziale differenza è che nella sessione superman->superman compare "debug1: using GSSAPI mechanism Kerberos (gss-group1-sha1- toWM5Slw5Ew8Mqkay+al2g==)" che nell'altra sessione non compare. Per quanto riguarda i parametri in sshd_config ho usato: KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GssapiAuthentication yes GssapiKeyExchange yes Suggerimenti? Bye Bye PS:come doc base ho usato "single sign on con kerberos e ldap" e un paio di articoli su Linux&C e Red Hat Magazine.
Attachment:
signature.asc
Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005