Subject: ssh(d) with kerberos on NetBSD 2.0?
To: None <tech-security@NetBSD.org>
From: Hubert Feyrer <hubert@feyrer.de>
List: tech-security
Date: 09/19/2005 23:20:35
Kerberos newbie stuff ahead...
Following [1], I've setup Kerberos on NetBSD 2.0, and I can su(1) to my
test-account and use "telnet localhost" and get logged in without
password. Now I'd like to do the same with ssh. I have set
"KerberosAuthentication yes" and just for kicks "AFSTokenPassing yes" and
"KerberosTgtPassing yes" in /etc/ssh/sshd_config. Now I'm getting:
ktest@noon: {43} ssh localhost
Connection closed by ::1
ktest@noon: {44}
Not very exhaustive, running "ssh -v" gives:
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive,kerberos-2@ssh.com
debug1: Next authentication method: kerberos-2@ssh.com
debug1: Authentications that can continue:
publickey,password,keyboard-interactive,kerberos-2@ssh.com
Connection closed by ::1
debug1: Calling cleanup 0x805cb1c(0x0)
Doesn't ring a bell for me either, so running "sshd -d -d -d" gives:
debug1: userauth-request for user ktest service ssh-connection method kerberos-2@ssh.com
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method kerberos-2@ssh.com
debug3: mm_auth_krb5 entering
debug3: mm_request_send entering: type 39
debug3: monitor_read: checking request 39
===> debug1: Kerberos v5 authentication failed: Decrypt integrity check failed
debug3: mm_request_send entering: type 40
debug2: monitor_read: 39 used once, disabling now
Failed kerberos for ktest from ::1 port 51303 ssh2
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
Failed kerberos-2@ssh.com for ktest from ::1 port 51303 ssh2
debug1: userauth-request for user ktest service ssh-connection method kerberos-2@ssh.com
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method kerberos-2@ssh.com
debug3: mm_auth_krb5 entering
debug3: mm_request_send entering: type 39
debug3: monitor_read: checking request 39
monitor_read: unpermitted request 39
debug1: Calling cleanup 0x80612f0(0x8090540)
debug1: krb5_cleanup_proc called
noon# debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
debug1: Calling cleanup 0x8066d40(0x0)
The only vaguely useful thing I see in there is "Kerberos v5
authentication failed: Decrypt integrity check failed", not that I have an
idea what that's supposed to be.
Do I have to add a seperate principal for the ssh service in addition to
host/localhost and host/noon (the machine's name)?
Any clues?
- Hubert
[1] http://www.netbsd.org/Documentation/network/#kerberos