无法在 OSX 10.7 上使用 SSH Kerberos Auth 连接到我的服务器

无法在 OSX 10.7 上使用 SSH Kerberos Auth 连接到我的服务器

我刚刚将我的 Mac OS 升级到 10.7 Lion。它以前运行良好。但是,kinit现在只能正常工作,我无法 ssh 到我的服务器。

重新安装“Mac OS X Kerberos Extras”后,情况并没有好转。

我的命令:

ssh [email protected] -v

......

debug1: Authentications that can continue: gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1:  Miscellaneous failure (see text)
UNKNOWN_SERVER while looking up 'host/[email protected]' (cached result, timeout in 1200 sec)

debug1:  An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug1: Authentications that can continue: gssapi-with-mic,password
debug1:  An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug1: Next authentication method: password
[email protected]'s password:

答案1

~/.ssh/config您的文件中或者?中是否有以下两行/etc/ssh_config

GSSAPIAuthentication yes
GSSAPITrustDNS yes

第一个是启用 GSSAPI (Kerberos) 身份验证所必需的,第二个是让 ssh 通过 DNS 规范化主机名并使用规范名称获取主机服务票证所必需的。如果没有第二个,ssh 将使用在命令行中输入的准确主机名或 IP 地址来尝试获取主机服务票证,在这种情况下会失败:

查找“host/”时出现 UNKNOWN_SERVER[电子邮件保护]

主体的实际名称通常是“host/hostname.domain@REALM”,而不是 IP 地址。当然,您需要正确的反向 DNS 设置才能使其正常工作。

似乎 OS X 无法检测到要使用的正确领域名称,而是尝试使用 IP 地址('@3.18.211' 部分)。您是否为领域和 KDC 设置了正确的 DNS TXT 和 SRV 记录?如果没有,您需要在 中手动输入默认领域和 KDC 地址/etc/krb5.conf

答案2

我在连接 Centos 时遇到了这些错误,但在连接 fedora 时没有遇到。通过将我的用户更改为完整的 userPrincipalName 而不是 OS X 上的简称来解决。

〜/.ssh /配置:

Host svn saturnus.lan
User [email protected]

SSH 未知机械代码错误:

debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1:  An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1:  An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug2: we did not send a packet, disable method

相关内容