请求中的主体错误 (SSH/GSSAPI/Kerberos/Debian)

tag-icon tag-icon ssh kerberos mitkerberos gssapi
请求中的主体错误 (SSH/GSSAPI/Kerberos/Debian)

我在“内部”(VirtualBox 的意思)网络上设置了两个虚拟机,一个是 DNS 服务器(dns1.example.com),另一个是 KDC 和 Kerberos 管理服务器(kdc.example.com)。默认且唯一的域是 EXAMPLE.COM。两台机器都使用新安装的 Debian Squeeze。

问题:我可以从 kdc.example.com 通过 ssh 登录 kdc.example.com,但无法从 dns1.example.com 通过 ssh 登录。

在 kdc.example.com 上,调试模式下的 sshd 显示:

debug1: Unspecified GSS failure.  Minor code may provide more information
Wrong principal in request

debug1: Got no client credentials
debug3: mm_request_send entering: type 41
debug3: mm_request_receive entering
debug1: userauth-request for user tom service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug1: userauth-request for user tom service ssh-connection method gssapi-with-mic
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method gssapi-with-mic

此时客户端会被要求输入密码。Wireshark 处理的 tcpdump 文件显示已经交换了一些加密数据包,但我无法推断出更多,因为它们确实是加密的 :)。经过 2 天的谷歌搜索,我陷入了困境,非常感谢任何帮助。

当涉及到 Kerberos 和朋友时,我更希望得到有关一般合理配置调试策略的任何建议/链接/提示。例如,我不知道在哪里查找“错误主体”的问题,以及服务器接收的主体是什么而不是正确的主体。有些东西告诉我真正的冒险尚未到来 :)。

以下是配置和诊断输出。希望我没有忘记任何东西。

kdc:~# cat /etc/krb5kdc/kdc.conf 
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    EXAMPLE.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

kdc:~# kadmin.local -q 'listprincs'
Authenticating as principal root/[email protected] with password.
K/[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
root/[email protected]
[email protected]

kdc:~# cat /etc/ssh/sshd_config |grep '^[^#]'
Port 22
ListenAddress 172.16.3.3
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

/etc/krb5.conf 在 kdc 和 dns1 上是相同的。

dns1:~$ cat /etc/krb5.conf 
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true 
    forwardable = true
[realms]
    EXAMPLE.COM={
        admin_server = kdc.example.com
    }
[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM
[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

TGT 是可转发的。在 ssh 客户端上:

dns1:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting     Expires            Service principal
01/03/12 20:00:03  01/04/12 06:00:03  krbtgt/[email protected]
    renew until 01/04/12 20:00:00, Flags: FRIA
01/03/12 20:00:21  01/04/12 06:00:03  host/[email protected]
    renew until 01/04/12 20:00:00, Flags: FRAT

Keytab 似乎也不错:

dns1:~# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/[email protected]
   5 host/[email protected]
   5 host/[email protected]
   5 host/[email protected]

DNS(包括 PTR、TXT、SRV)正常工作。

dns1:~# cat /var/cache/bind/db.example.com 
$ORIGIN example.com.
$TTL    86400
@   IN  SOA dns1.example.com. root.example.com. (
            2012010301  ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
              86400 )   ; Negative Cache TTL
;
@   IN  NS  dns1.example.com.
dns1    IN  A   172.16.3.2
www IN  A   172.16.3.8
mail    IN  A   172.16.3.9
fed IN  A   172.16.3.100

kdc IN  A   172.16.3.3
;kds    IN  A   172.16.3.4

_kerberos   TXT "EXAMPLE.COM"

krb IN  CNAME   kdc

_kerberos._udp      SRV 0 0 88  kdc
_kerberos-master._udp   SRV 0 0 88  kdc
_kerberos-adm._tcp  SRV 0 0 749 kdc
_kpasswd._udp       SRV 0 0 464 kdc

dns1:~# cat /var/cache/bind/db.3.16.172.in-addr.arpa 
$ORIGIN 3.16.172.in-addr.arpa.
$TTL    86400
@   IN  SOA dns1.example.com. root.example.com. (
            2012010102  ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
              86400 )   ; Negative Cache TTL
;
@   IN  NS  dns1.example.com.
2   IN  PTR dns1.example.com.
3   IN  PTR kdc.example.com.

8   IN  PTR example.com.
9   IN  PTR mail.example.com.

答案1

在谷歌搜索新服务器构建中完全相同的错误时发现了这一点 - 为我指明了正确的方向:)

就我而言,我的反向 DNS 不正确 - 当我更新它并清除我的缓存名称服务器的缓存时,它就起作用了。

答案2

我必须更加注意。/etc/hosts 中还有一行将 127.0.0.1 解析为 FQDN(现已注释掉):

kdc:~$ cat /etc/hosts
127.0.0.1   localhost
#127.0.0.1  kdc.example.com kdc
172.16.3.3  kdc.example.com kdc

从 DB 和 keytab 中清除相关主体并重新启动两个虚拟机后,一切都按预期运行。哎呀……

答案3

尝试下面这个。

编辑 /etc/ssh/sshd_config

查找 PermitRootLogin 没有

更改 PermitRootLogin => 是

命令> /etc/init.d/sshd restart

相关内容