我有一台 Ubuntu 服务器作为域控制器 ( domain.local) 和一台 Ubuntu VM ( ubu1) 作为工作站。我想ubu1使用 keytab 文件通过 Kerberose ssh 进入 VM。
为此,我在ubu1虚拟机中设置了 OpenSSH。我在 中启用了以下选项/etc/ssh/sshd_config。
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
我的 PAM 配置如下所示 - /etc/pam.d/common-session(我将sssd其用作客户端软件)
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_mkhomedir.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
我还向域中添加了一个名为 的用户[email protected]。
samba-tool user add user Password123!
我确保可以ubu1使用此用户和密码对虚拟机进行身份验证。我可以通过以下命令执行此操作。
ssh DOMAIN\\[email protected]
然后我使用以下命令为用户创建了一个 keytab 文件。
sudo samba-tool user setexpiry user --noexpiry
sudo samba-tool domain exportkeytab [email protected]
然后我将 keytab 文件传输到我的笔记本电脑并将其导出为票证。
kinit -kt user.keytab '[email protected]'
但是当我尝试使用带有选项的 ssh 登录时-K,它仍然要求我输入密码。
这是输出klist -kte user.keytab
Keytab name: FILE:user.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 16/01/24 16:56:08 [email protected] (aes256-cts-hmac-sha1-96)
2 16/01/24 16:56:08 [email protected] (aes128-cts-hmac-sha1-96)
2 16/01/24 16:56:08 [email protected] (DEPRECATED:arcfour-hmac)
-K这是我尝试使用选项进行 ssh 时的输出
ssh -K UNINTENDED\\[email protected] -vv
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/kavi/.ssh/id_rsa RSA SHA256:OZgEf/sHKxJPl3YiHxT97//bPr6B7cWu2GXyDC/IySI
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/kavi/.ssh/id_ecdsa
debug1: Trying private key: /home/kavi/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/kavi/.ssh/id_ed25519
debug1: Trying private key: /home/kavi/.ssh/id_ed25519_sk
debug1: Trying private key: /home/kavi/.ssh/id_xmss
debug1: Trying private key: /home/kavi/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
当我打开调试模式运行 SSH 服务器时,我得到这样的输出:
sudo /usr/sbin/sshd -d -e -p 22 -o LogLevel=DEBUG3
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.9, OpenSSL 3.0.2 15 Mar 2022
debug1: private host key #0: ssh-rsa SHA256:FSr38+G3yHidz7/+nvBXpSZE5haof21lk9bAOjlHoQA
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:VbS3sSjzQtMx3fnFBv+wI189MJRz/aCXlnrFf+TjBec
debug1: private host key #2: ssh-ed25519 SHA256:++SuiiJ+ZwG7d5q6fb9KqhQRx1gGhVOfGR24bbTuipg
debug1: inetd sockets after dupping: 3, 3
Connection from 10.10.10.12 port 52520 on 10.10.10.12 port 22 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.3 pat OpenSSH* compat 0x04000000
debug1: permanently_set_uid: 106/65534 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user DOMAIN//user service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
Invalid user DOMAIN from 10.10.10.12 port 52520
debug1: PAM: initializing for "DOMAIN"
debug1: PAM: setting PAM_RHOST to "10.10.10.12"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user DOMAIN//user service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth-request for user DOMAIN//user service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: userauth-request for user DOMAIN//user service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 1 [preauth]
debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:yQXcilI+8loowqgULAvqBtQyd34WMy2kk1Y1vIW59cg [preauth]
不知道为什么会发生这种情况。我已经阅读了一些基于相同场景的其他问题,如下所示。
不幸的是,没有什么能解决我的情况。仅供参考,我对 AD 还不太熟悉,对工作原理了解不多。所以如果我提到或做错了什么,我真的很想知道。如果我的方法不是通常/标准的方法,我希望有一个逐步的设置过程
答案1
该问题与 SSH 或 Kerberos 无关,我只需要向.k5login尝试登录的用户的主目录添加一个文件,并添加应该能够登录的用户的 SPN。
echo '[email protected]' > /home/[email protected]/.k5login
之后,我必须确保已将正确的 SPN 添加到数据库,在本例中为host/ubu1.domain.local。
samba-tool spn add host/ubu1.domain.local UBU1$
UBU1$ubu1在这种情况下,是计算机加入域时默认创建的计算机帐户。
之后,我就能使用票证正常登录了
ssh DOMAIN\\[email protected]