带有 kerberos 的 ssh:权限被拒绝(publickey、gssapi-keyex、gssapi-with-mic)

带有 kerberos 的 ssh:权限被拒绝(publickey、gssapi-keyex、gssapi-with-mic)

我配置了 kerberos 5。我还配置了 ssh2。然后我尝试在远程使用 kerberos 用户进行身份验证。当用户尝试以下命令连接到远程主机时:

ssh -v username@hostname
  1. 用户从 KDC 收到了票证。
  2. 用户还收到了来自 TGS(KDC)的第二张票

但是 ssh2 拒绝了用户提供的票证。这是错误消息:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

但是当我运行时klist我可以得到一张票。这是我的配置文件:

我尝试了在互联网上各种论坛上找到的所有解决方案,但错误仍然存​​在。解决方案看起来很简单,但我找不到解决方案。

服务器端配置:

/etc/ssh/sshd_config

# Kerberos options
KerberosAuthentication yes

# GSSAPI options
GSSAPIAuthentication yes

客户端配置:

/etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

ssh 的输出

OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to service.domain1.com [192.168.100.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 1b:02:94:ac:a8:a1:ef:75:1e:8a:de:92:fa:68:f6:12
debug1: Host 'service.domain1.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

我也拿到了票

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
06/16/2017 18:10:12  06/17/2017 04:10:12  krbtgt/[email protected]
        renew until 06/17/2017 18:10:10

06/16/2017 18:13:53  06/17/2017 04:10:12  host/[email protected]
        renew until 06/17/2017 18:10:10

输出KRB5_TRACE=/dev/stderr ssh [email protected]

[3245] 1497647877.815: Convert service host (service with host as instance) on h                                                                                        ost service.domain1.com to principal
[3245] 1497647877.1505: Remote host after forward canonicalization: service.doma                                                                                        in1.com
[3245] 1497647877.3495: Remote host after reverse DNS processing: service.domain                                                                                        1.com
[3245] 1497647877.4603: Got service principal host/[email protected]                                                                                        OM
[3245] 1497647877.6417: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wit                                                                                        h client principal [email protected] for server principal host/service.domain1.co                                                                                        [email protected]
[3245] 1497647877.7386: Getting credentials [email protected] -> host/service.dom                                                                                        [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.8081: Retrieving [email protected] -> host/service.domain1.com@                                                                                        DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.9362: Creating authenticator for [email protected] -> host/serv                                                                                        [email protected], seqnum 453361358, subkey aes256-cts/0C76, session k                                                                                        ey aes256-cts/12F8
[3245] 1497647877.12213: Convert service host (service with host as instance) on                                                                                         host service.domain1.com to principal
[3245] 1497647877.13206: Remote host after forward canonicalization: service.dom                                                                                        ain1.com
[3245] 1497647877.13734: Remote host after reverse DNS processing: service.domai                                                                                        n1.com
[3245] 1497647877.14470: Got service principal host/service.domain1.com@DOMAIN1.                                                                                        COM
[3245] 1497647877.15943: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi                                                                                        th client principal [email protected] for server principal host/service.domain1.c                                                                                        [email protected]
[3245] 1497647877.17024: Getting credentials [email protected] -> host/service.do                                                                                        [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.18005: Retrieving [email protected] -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.18894: Creating authenticator for [email protected] -> host/ser                                                                                        [email protected], seqnum 939649315, subkey aes256-cts/856B, session                                                                                         key aes256-cts/12F8
[3245] 1497647877.21531: Convert service host (service with host as instance) on                                                                                         host service.domain1.com to principal
[3245] 1497647877.22356: Remote host after forward canonicalization: service.dom                                                                                        ain1.com
[3245] 1497647877.22837: Remote host after reverse DNS processing: service.domai                                                                                        n1.com
[3245] 1497647877.23554: Got service principal host/service.domain1.com@DOMAIN1.                                                                                        COM
[3245] 1497647877.24732: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi                                                                                        th client principal [email protected] for server principal host/service.domain1.c                                                                                        [email protected]
[3245] 1497647877.25873: Getting credentials [email protected] -> host/service.do                                                                                        [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.26716: Retrieving [email protected] -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.27580: Creating authenticator for [email protected] -> host/ser                                                                                        [email protected], seqnum 659542849, subkey aes256-cts/B1BE, session                                                                                         key aes256-cts/12F8
[3245] 1497647877.30655: Convert service host (service with host as instance) on                                                                                         host service.domain1.com to principal
[3245] 1497647877.31257: Remote host after forward canonicalization: service.dom                                                                                        ain1.com
[3245] 1497647877.32269: Remote host after reverse DNS processing: service.domai                                                                                        n1.com
[3245] 1497647877.33059: Got service principal host/service.domain1.com@DOMAIN1.                                                                                        COM
[3245] 1497647877.34998: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi                                                                                        th client principal [email protected] for server principal host/service.domain1.c                                                                                        [email protected]
[3245] 1497647877.36096: Getting credentials [email protected] -> host/service.do                                                                                        [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.37374: Retrieving [email protected] -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.38330: Getting credentials [email protected] -> host/service.do                                                                                        [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.39290: Retrieving [email protected] -> host/service.domain1.com                                                                                        @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.40250: Creating authenticator for [email protected] -> host/ser                                                                                        [email protected], seqnum 153099589, subkey aes256-cts/0A6F, session                                                                                         key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~# KRB5_TRACE=/dev/stderr ssh [email protected]
[3246] 1497648013.175041: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.176195: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.177479: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.178534: Got service principal host/[email protected]
[3246] 1497648013.180581: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.181450: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.182644: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.183646: Creating authenticator for [email protected] -> host/[email protected], seqnum 129967800, subkey aes256-cts/9DD3, session key aes256-cts/12F8
[3246] 1497648013.186798: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.187755: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.188688: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.189538: Got service principal host/[email protected]
[3246] 1497648013.191398: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.192413: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.193213: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.193902: Creating authenticator for [email protected] -> host/[email protected], seqnum 677410347, subkey aes256-cts/68E8, session key aes256-cts/12F8
[3246] 1497648013.205078: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.205925: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.206798: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.207563: Got service principal host/[email protected]
[3246] 1497648013.209470: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.210417: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.211581: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.212439: Creating authenticator for [email protected] -> host/[email protected], seqnum 861925756, subkey aes256-cts/98D2, session key aes256-cts/12F8
[3246] 1497648013.215834: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.216843: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.217668: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.218556: Got service principal host/[email protected]
[3246] 1497648013.220170: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.221222: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.223726: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.225599: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.226620: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.227622: Creating authenticator for [email protected] -> host/[email protected], seqnum 863206980, subkey aes256-cts/C999, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~#
root@serveur:~# KRB5_TRACE=/dev/stderr ssh [email protected]
[3247] 1497648035.21901: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.23067: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.23959: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.24877: Got service principal host/[email protected]
[3247] 1497648035.26508: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.27221: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.27912: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.29305: Creating authenticator for [email protected] -> host/[email protected], seqnum 606448502, subkey aes256-cts/6E0C, session key aes256-cts/12F8
[3247] 1497648035.31816: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.32380: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.33263: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.34218: Got service principal host/[email protected]
[3247] 1497648035.35855: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.36965: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.37922: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.38553: Creating authenticator for [email protected] -> host/[email protected], seqnum 516620040, subkey aes256-cts/E0E2, session key aes256-cts/12F8
[3247] 1497648035.41143: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.41700: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.42167: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.42924: Got service principal host/[email protected]
[3247] 1497648035.44068: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.45042: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.45684: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.46516: Creating authenticator for [email protected] -> host/[email protected], seqnum 486648660, subkey aes256-cts/8D69, session key aes256-cts/12F8
[3247] 1497648035.49000: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.49568: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.50283: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.51067: Got service principal host/[email protected]
[3247] 1497648035.53637: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.54829: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.55927: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.57525: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.58632: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.59519: Creating authenticator for [email protected] -> host/[email protected], seqnum 844101250, subkey aes256-cts/A673, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

相关内容