我关注了Oracle 教程用于配置 NIS 并使用 Kerberos 作为身份验证机制。我相信我已经在运行 NIS 的服务器上正确配置并运行了 Realm 和 KDC,因此ypserv和ypbind正在运行。在 Kerberos 客户端上,我成功运行了以下命令(注意authconfig已弃用,authselect但仍有效):
authconfig --enablenis --enablekrb5 --krb5realm=SUBDOMAIN.OURDOMAIN.EDU --krb5adminserver=sub.sub.ourdomain.edu --krb5kdc=sub.sub.ourdomain.edu --update
当从 Kerberos 客户端转到相同的 KDC 和管理服务器时,这样做是可行的。以下是摘录自:
kinit [email protected]/var/log/krb5kdc.logaes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) x.x.x.x: ISSUE: authtime 1603133224, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
klist
Ticket cache: KEYRING:persistent:6105:6105
Default principal: [email protected]
Valid starting Expires Service principal
10/19/20 14:57:43 10/20/20 14:57:39 krbtgt/[email protected]
renew until 10/19/20 14:57:43
但使用ssh -K -vv会返回“ Unspecified GSS failure”,但我至少登录了。
ssh -K -vv [email protected]
OpenSSH_8.3p1, OpenSSL 1.1.1g FIPS 21 Apr 2020
debug1: Reading configuration data /path/to/.ssh/config
debug1: /path/to/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/path/to/.ssh/sockets/[email protected]" does not exist
debug2: resolving "sub.sub.ourdomain.edu" port 22
debug2: ssh_connect_direct
debug1: Connecting to sub.sub.ourdomain.edu [x.x.x.x] port 22.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sub.sub.ourdomain.edu:22 as 'myuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'sub.sub.ourdomain.edu' is known and matches the ECDSA host key.
debug1: Found key in /path/to/.ssh/known_hosts:33
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:6105)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /path/to/.ssh/id_rsa RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /path/to/.ssh/id_dsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa_sk
debug1: Trying private key: /path/to/.ssh/id_ed25519
debug1: Trying private key: /path/to/.ssh/id_ed25519_sk
debug1: Trying private key: /path/to/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]'s password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to sub.sub.ourdomain.edu ([150.108.64.156]:22).
debug1: setting up multiplex master socket
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [/path/to/.ssh/sockets/[email protected]]
debug2: fd 3 setting TCP_NODELAY
debug1: control_persist_detach: backgrounding master process
debug2: control_persist_detach: background process is 126689
debug2: fd 4 setting O_NONBLOCK
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug2: set_control_persist_exit_time: schedule exit in 600 seconds
debug1: multiplexing control connection
debug2: fd 5 setting O_NONBLOCK
debug1: channel 1: new [mux-control]
debug2: set_control_persist_exit_time: cancel scheduled exit
debug2: mux_master_process_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug2: mux_master_process_alive_check: channel 1: alive check
debug2: mux_master_process_new_session: channel 1: request tty 1, X 1, agent 0, subsys 0, term "xterm", cmd "", env 2
debug1: channel 2: new [client-session]
debug2: mux_master_process_new_session: channel_new: 2 linked to control channel 1
debug2: channel 2: send open
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: channel_input_open_confirmation: channel 2: callback start
debug2: client_session2_setup: id 2
debug2: channel 2: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_ALL = C
debug2: channel 2: request env confirm 0
debug2: channel 2: request shell confirm 1
debug2: channel_input_open_confirmation: channel 2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
debug1: mux_client_request_session: master session id: 2
debug2: channel_input_status_confirm: type 99 id 2
debug2: PTY allocation request accepted on channel 2
debug2: channel 2: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 2
debug2: shell request accepted on channel 2
运行kinit结果为: 且有:
kinit: Client '[email protected]' not found in Kerberos database while getting initial credentials/var/log/krb5kdc.logCLIENT_NOT_FOUND: [email protected] for krbtgt/[email protected], Client not found in Kerberos database
我也看了这个工具箱教程但我发现那里没有任何东西有帮助。
另外,没有 Kerberos 客户端(例如,他们的个人笔记本电脑)的用户如何使用 Kerberos 身份验证登录?够了吗ssh -K?Realm 管理员是否必须先登录,所有 NIS 用户才能获得票证?
编辑:@user1686 请求调试
这是在尝试“bob”(他是 Kerberos 主体但不是 NIS 用户)输入密码之前的调试:
Resolving unique ccache of type KEYRING
Getting initial credentials for [email protected]
Sending unauthenticated request
Sending request (202 bytes) to sub.ourdomain.edu
Resolving hostname olddsm.sub.ourdomain.edu
Sending initial UDP request to dgram 150.108.64.156:88
Received answer (459 bytes) from dgram 150.108.64.156:88
Sending DNS URI query for _kerberos.sub.ourdomain.edu.
No URI records found
Sending DNS SRV query for _kerberos-master._udp.sub.ourdomain.edu.
Sending DNS SRV query for _kerberos-master._tcp.sub.ourdomain.edu.
No SRV records found
Response was not from master KDC
Received error from KDC: -1765328359/Additional pre-authentication required
Preauthenticating using KDC method data
Processing preauth types: PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
Selected etype info: etype aes256-cts, salt "sub.ourdomain.edubob", params ""
Received cookie: MIT1\x00\x00\x00\x01\xa6o@\xe7\x18($\xb3\xa0\+G\x8c{h\xce\x7f\xb1\x8e\x1bi\x9c\xdd_\xf3\x0b\xef\xabpBe\xf0\xabP\x18\x0epD\x96\xe0{\xa6\x86\xdd\xbaW\xa8\x1b\x888F\x88NA\xb96F#+\xae0?cLXy\x06\x03\x036\x80e\xb6x\xf0\xaa\xba\x8c\xd5!v\xd62\xe8\x11\xbb\xfa~Q\x0f\xa6\xf1\\x95\x1b(_\x1dW\x0a\x18K\xd8\xc8\xd5\xeb\x0d\x92\xaa\x9bHA\x1a:\x10\xa7\xed\x9b\xde1>\xf6\x01\xbf\xf3Dk\x10\x9e\xda
SPAKE challenge received with group 1, pubkey E68F19E1E54CFB8167A58BA27281988C6D41E781616151E9E77E8BF2C9943384
以下是 Bob 密码后的调试:
SPAKE key generated with pubkey AFB1CF7A0590A8EB85009C098983F40ADE287C14812D7559AED3AD3906799A0A
SPAKE algorithm result: 06204D53974A5ED18239F0DC4894DE4218EB576231190E2BF4DFF29CA4A3F5E1
SPAKE final transcript hash: 17E210EF8E0DBA330E67D30E255C6D13F3FCFD8D6D05F6FFCB55F1FDD9397320
Sending SPAKE response
Preauth module spake (151) (real) returned: 0/Success
Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151)
Sending request (461 bytes) to SUB.OURDOMAIN.EDU
Resolving hostname olddsm.SUB.OURDOMAIN.EDU
Sending initial UDP request to dgram x.x.x.x:88
Received answer (725 bytes) from dgram x.x.x.x:88
Sending DNS URI query for _kerberos.SUB.OURDOMAIN.EDU.
No URI records found
Sending DNS SRV query for _kerberos-master._udp.SUB.OURDOMAIN.EDU.
Sending DNS SRV query for _kerberos-master._tcp.SUB.OURDOMAIN.EDU.
No SRV records found
Response was not from master KDC
AS key determined by preauth: aes256-cts/E5DE
Decrypted AS reply; session key is: aes256-cts/2E1C
FAST negotiation: available
Initializing KEYRING:persistent:6105:krb_ccache_6defZ3A with default princ [email protected]
Storing [email protected] -> krbtgt/[email protected] in KEYRING:persistent:6105:krb_ccache_6defZ3A
Storing config in KEYRING:persistent:6105:krb_ccache_6defZ3A for krbtgt/[email protected]: fast_avail: yes
Storing [email protected] -> krb5_ccache_conf_data/fast_avail/krbtgt\/SUB.OURDOMAIN.EDU\@SUB.OURDOMAIN.EDU@X-CACHECONF: in KEYRING:persistent:6105:krb_ccache_6defZ3A
Storing config in KEYRING:persistent:6105:krb_ccache_6defZ3A for krbtgt/[email protected]: pa_type: 151
Storing [email protected] -> krb5_ccache_conf_data/pa_type/krbtgt\/SUB.OURDOMAIN.EDU\@SUB.OURDOMAIN.EDU@X-CACHECONF: in KEYRING:persistent:6105:krb_ccache_6defZ3A
和kinit:
klist
Ticket cache: KEYRING:persistent:6105:krb_ccache_6defZ3A
Default principal: [email protected]
Valid starting Expires Service principal
10/22/20 12:18:40 10/23/20 12:18:34 krbtgt/[email protected]
renew until 10/22/20 12:18:40
来自krb5kdc.log:
olddsm.SUB-OURDOMAIN.EDU krb5kdc[2160](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.68.128: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
krb5kdc[2160](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.68.128: ISSUE: authtime 1603383520, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
在我引用的这些教程中我没有看到提到这一点,但 NIS 用户需要迁移到 Kerberos 领域这里提到pam_krb5.so? 另外,我在任何 PAM 文件中都没有看到,例如,在 中/etc/pam.d/也没有/etc/authselect/。我确实使用了弃用的authconfig选项,没有错误,只是警告它已被 替换authselect。
仅 NIS 用户的 ssh 日志证明仅 NIS 密码有效:
attempt 0 failures 0 [preauth]
PAM: initializing for "xx"
PAM: setting PAM_RHOST to "x.x.x.x"
PAM: setting PAM_TTY to "ssh"
userauth-request for user ts service ssh-connection method gssapi-with-mic [preauth]
attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for ts from x.x.x.x port 58692 ssh2 [preauth]
Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/[email protected] kvno 6 not found in keytab; keytab is likely out of date
Got no client credentials
userauth-request for user ts service ssh-connection method gssapi-with-mic [preauth]
attempt 2 failures 1 [preauth]
userauth-request for user ts service ssh-connection method publickey [preauth]
attempt 3 failures 1 [preauth]
userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk [preauth]
temporarily_use_uid: 1202/150 (e=0/0)
trying public key file /home/users/ts/.ssh/authorized_keys
Could not open authorized keys '/home/users/xx/.ssh/authorized_keys': No such file or directory
restore_uid: 0/0
Failed publickey for ts from x.x.x.x port 58692 ssh2: RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
userauth-request for user xx service ssh-connection method password [preauth]
attempt 4 failures 2 [preauth]
PAM: password authentication accepted for ts
do_pam_account: called
Accepted password for ts from x.x.x.x port 58692 ssh2