我配置了 kerberos 5。我还配置了 ssh2。然后我尝试在远程使用 kerberos 用户进行身份验证。当用户尝试以下命令连接到远程主机时:
ssh -v username@hostname
- 用户从 KDC 收到了票证。
- 用户还收到了来自 TGS(KDC)的第二张票
但是 ssh2 拒绝了用户提供的票证。这是错误消息:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
但是当我运行时klist我可以得到一张票。这是我的配置文件:
我尝试了在互联网上各种论坛上找到的所有解决方案,但错误仍然存在。解决方案看起来很简单,但我找不到解决方案。
服务器端配置:
/etc/ssh/sshd_config
# Kerberos options
KerberosAuthentication yes
# GSSAPI options
GSSAPIAuthentication yes
客户端配置:
/etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ssh 的输出
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to service.domain1.com [192.168.100.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 1b:02:94:ac:a8:a1:ef:75:1e:8a:de:92:fa:68:f6:12
debug1: Host 'service.domain1.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
我也拿到了票
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
06/16/2017 18:10:12 06/17/2017 04:10:12 krbtgt/[email protected]
renew until 06/17/2017 18:10:10
06/16/2017 18:13:53 06/17/2017 04:10:12 host/[email protected]
renew until 06/17/2017 18:10:10
输出KRB5_TRACE=/dev/stderr ssh [email protected]
[3245] 1497647877.815: Convert service host (service with host as instance) on h ost service.domain1.com to principal
[3245] 1497647877.1505: Remote host after forward canonicalization: service.doma in1.com
[3245] 1497647877.3495: Remote host after reverse DNS processing: service.domain 1.com
[3245] 1497647877.4603: Got service principal host/[email protected] OM
[3245] 1497647877.6417: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wit h client principal [email protected] for server principal host/service.domain1.co [email protected]
[3245] 1497647877.7386: Getting credentials [email protected] -> host/service.dom [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.8081: Retrieving [email protected] -> host/service.domain1.com@ DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.9362: Creating authenticator for [email protected] -> host/serv [email protected], seqnum 453361358, subkey aes256-cts/0C76, session k ey aes256-cts/12F8
[3245] 1497647877.12213: Convert service host (service with host as instance) on host service.domain1.com to principal
[3245] 1497647877.13206: Remote host after forward canonicalization: service.dom ain1.com
[3245] 1497647877.13734: Remote host after reverse DNS processing: service.domai n1.com
[3245] 1497647877.14470: Got service principal host/service.domain1.com@DOMAIN1. COM
[3245] 1497647877.15943: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi th client principal [email protected] for server principal host/service.domain1.c [email protected]
[3245] 1497647877.17024: Getting credentials [email protected] -> host/service.do [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.18005: Retrieving [email protected] -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.18894: Creating authenticator for [email protected] -> host/ser [email protected], seqnum 939649315, subkey aes256-cts/856B, session key aes256-cts/12F8
[3245] 1497647877.21531: Convert service host (service with host as instance) on host service.domain1.com to principal
[3245] 1497647877.22356: Remote host after forward canonicalization: service.dom ain1.com
[3245] 1497647877.22837: Remote host after reverse DNS processing: service.domai n1.com
[3245] 1497647877.23554: Got service principal host/service.domain1.com@DOMAIN1. COM
[3245] 1497647877.24732: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi th client principal [email protected] for server principal host/service.domain1.c [email protected]
[3245] 1497647877.25873: Getting credentials [email protected] -> host/service.do [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.26716: Retrieving [email protected] -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.27580: Creating authenticator for [email protected] -> host/ser [email protected], seqnum 659542849, subkey aes256-cts/B1BE, session key aes256-cts/12F8
[3245] 1497647877.30655: Convert service host (service with host as instance) on host service.domain1.com to principal
[3245] 1497647877.31257: Remote host after forward canonicalization: service.dom ain1.com
[3245] 1497647877.32269: Remote host after reverse DNS processing: service.domai n1.com
[3245] 1497647877.33059: Got service principal host/service.domain1.com@DOMAIN1. COM
[3245] 1497647877.34998: ccselect module realm chose cache FILE:/tmp/krb5cc_0 wi th client principal [email protected] for server principal host/service.domain1.c [email protected]
[3245] 1497647877.36096: Getting credentials [email protected] -> host/service.do [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.37374: Retrieving [email protected] -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.38330: Getting credentials [email protected] -> host/service.do [email protected] using ccache FILE:/tmp/krb5cc_0
[3245] 1497647877.39290: Retrieving [email protected] -> host/service.domain1.com @DOMAIN1.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[3245] 1497647877.40250: Creating authenticator for [email protected] -> host/ser [email protected], seqnum 153099589, subkey aes256-cts/0A6F, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~# KRB5_TRACE=/dev/stderr ssh [email protected]
[3246] 1497648013.175041: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.176195: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.177479: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.178534: Got service principal host/[email protected]
[3246] 1497648013.180581: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.181450: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.182644: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.183646: Creating authenticator for [email protected] -> host/[email protected], seqnum 129967800, subkey aes256-cts/9DD3, session key aes256-cts/12F8
[3246] 1497648013.186798: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.187755: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.188688: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.189538: Got service principal host/[email protected]
[3246] 1497648013.191398: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.192413: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.193213: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.193902: Creating authenticator for [email protected] -> host/[email protected], seqnum 677410347, subkey aes256-cts/68E8, session key aes256-cts/12F8
[3246] 1497648013.205078: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.205925: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.206798: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.207563: Got service principal host/[email protected]
[3246] 1497648013.209470: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.210417: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.211581: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.212439: Creating authenticator for [email protected] -> host/[email protected], seqnum 861925756, subkey aes256-cts/98D2, session key aes256-cts/12F8
[3246] 1497648013.215834: Convert service host (service with host as instance) on host service.domain1.com to principal
[3246] 1497648013.216843: Remote host after forward canonicalization: service.domain1.com
[3246] 1497648013.217668: Remote host after reverse DNS processing: service.domain1.com
[3246] 1497648013.218556: Got service principal host/[email protected]
[3246] 1497648013.220170: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3246] 1497648013.221222: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.223726: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.225599: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3246] 1497648013.226620: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3246] 1497648013.227622: Creating authenticator for [email protected] -> host/[email protected], seqnum 863206980, subkey aes256-cts/C999, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
root@serveur:~#
root@serveur:~# KRB5_TRACE=/dev/stderr ssh [email protected]
[3247] 1497648035.21901: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.23067: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.23959: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.24877: Got service principal host/[email protected]
[3247] 1497648035.26508: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.27221: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.27912: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.29305: Creating authenticator for [email protected] -> host/[email protected], seqnum 606448502, subkey aes256-cts/6E0C, session key aes256-cts/12F8
[3247] 1497648035.31816: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.32380: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.33263: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.34218: Got service principal host/[email protected]
[3247] 1497648035.35855: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.36965: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.37922: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.38553: Creating authenticator for [email protected] -> host/[email protected], seqnum 516620040, subkey aes256-cts/E0E2, session key aes256-cts/12F8
[3247] 1497648035.41143: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.41700: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.42167: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.42924: Got service principal host/[email protected]
[3247] 1497648035.44068: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.45042: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.45684: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.46516: Creating authenticator for [email protected] -> host/[email protected], seqnum 486648660, subkey aes256-cts/8D69, session key aes256-cts/12F8
[3247] 1497648035.49000: Convert service host (service with host as instance) on host service.domain1.com to principal
[3247] 1497648035.49568: Remote host after forward canonicalization: service.domain1.com
[3247] 1497648035.50283: Remote host after reverse DNS processing: service.domain1.com
[3247] 1497648035.51067: Got service principal host/[email protected]
[3247] 1497648035.53637: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal [email protected] for server principal host/[email protected]
[3247] 1497648035.54829: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.55927: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.57525: Getting credentials [email protected] -> host/[email protected] using ccache FILE:/tmp/krb5cc_0
[3247] 1497648035.58632: Retrieving [email protected] -> host/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[3247] 1497648035.59519: Creating authenticator for [email protected] -> host/[email protected], seqnum 844101250, subkey aes256-cts/A673, session key aes256-cts/12F8
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).