我正在尝试使用 Kerberos 身份验证执行 SSH 登录。登录时会提示输入密码,而不是 Kerberos。
有三台计算机:客户端、kdcserver 和服务(SSHD 服务器)。客户端正在尝试使用 Kerberos 登录服务。
附件是来自客户端和服务机器(Linux)的配置文件和调试日志。
客户:
/etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
klist (票证) 默认主体:[电子邮件保护]
Valid starting Expires Service principal
02/12/2021 12:06:02 02/13/2021 12:05:45 host/[email protected]
02/12/2021 12:05:45 02/13/2021 12:05:45 krbtgt/[email protected]
SSH 客户端 dbg 日志
ssh -vvv service.example.com
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "service.example.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to service.example.com [172.30.88.107] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0debug1: key_load_public: No such file or directory
debug1: key_load_public: No such file or directory
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to service.example.com:22 as 'root'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from service.example.com
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss,null
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: ciphers ctos: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],[email protected],[email protected]
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],[email protected],[email protected]
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug3: send packet: type 30
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+1UAVGrMBTByh3IJ4Ux4mECS8UB2sqSVtmvVduHKw9g
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from service.example.com
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 172.30.88.107
debug1: Host 'service.example.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug2: key: /root/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
服务 (SSHD)
sshd_配置
[root@service ~]# cat /etc/ssh/sshd_config
#Version 2
Port 22
Protocol 2
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_rsa_key
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG3
LoginGraceTime 60
PermitRootLogin yes
StrictModes yes
MaxAuthTries 3
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
UsePAM yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#GSSAPIKeyExchange no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
Banner /etc/issue.net
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
HostKey /etc/ssh/ssh_host_ecdsa_256_key
HostKey /etc/ssh/ssh_host_ecdsa_384_key
HostKey /etc/ssh/ssh_host_ecdsa_521_key
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],[email protected],[email protected]
当客户端尝试登录服务时,sshd 会记录日志
Feb 12 12:06:01 NE107 crond[15161]: (root) CMD (test -x /usr/st/bin/recreate-missing-dirs && /usr/st/bin/recreate-missing-dirs)
Feb 12 12:06:11 NE107 sshd[15182]: connect from 10.7.90.199 (10.7.90.199)
Feb 12 12:06:11 NE107 sshd[15182]: debug1: inetd sockets after dupping: 3, 4
Feb 12 12:06:11 NE107 sshd[15182]: Connection from 10.7.90.199 port 59876 on 172.30.88.107 port 22
Feb 12 12:06:11 NE107 sshd[15182]: debug1: Local version string SSH-2.0-OpenSSH_8.0
Feb 12 12:06:11 NE107 sshd[15182]: debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
Feb 12 12:06:11 NE107 sshd[15182]: debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
Feb 12 12:06:11 NE107 sshd[15182]: debug2: fd 3 setting O_NONBLOCK
Feb 12 12:06:11 NE107 sshd[15182]: debug3: fd 4 is O_NONBLOCK
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ssh_sandbox_init: preparing rlimit sandbox
Feb 12 12:06:11 NE107 sshd[15182]: debug2: Network child is on pid 15183
Feb 12 12:06:11 NE107 sshd[15182]: debug3: preauth child monitor started
Feb 12 12:06:11 NE107 sshd[15182]: debug3: privsep user:group 74:74 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: permanently_set_uid: 74/74 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 20 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 20 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: local server KEXINIT proposal [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers ctos: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers stoc: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],[email protected],[email protected] [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],[email protected],[email protected] [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression ctos: none,[email protected] [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression stoc: none,[email protected] [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages ctos: [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages stoc: [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: first_kex_follows 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: reserved 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: peer client KEXINIT proposal [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha
Feb 12 12:06:11 NE107 sshd[15182]: debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss,null [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression ctos: none,[email protected],zlib [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression stoc: none,[email protected],zlib [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages ctos: [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages stoc: [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: first_kex_follows 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: reserved 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: algorithm: ecdh-sha2-nistp256 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 30 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshkey_sign entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 6 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 6
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_sign
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_sign: hostkey proof signature 0x20702500(100)
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 7
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 6 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 7 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 31 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 21 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: set_newkeys: mode 1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: rekey out after 4294967296 blocks [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 7 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 21 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: set_newkeys: mode 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: rekey in after 4294967296 blocks [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: KEX done [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 5 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 6 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 50 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: userauth-request for user root service ssh-connection method none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: attempt 0 failures 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_getpwnamallow entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 8 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 9 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 8
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pwnamallow
Feb 12 12:06:11 NE107 sshd[15182]: debug2: parse_server_config: config reprocess config len 1061
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 9
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 8 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug2: input_userauth_request: setting up authctxt for root [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_start_pam entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 100 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_inform_authserv entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 4 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_auth2_read_banner entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 10 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 11 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 100
Feb 12 12:06:11 NE107 sshd[15182]: debug1: PAM: initializing for "root"
Feb 12 12:06:11 NE107 sshd[15182]: debug1: PAM: setting PAM_RHOST to "10.7.90.199"
Feb 12 12:06:11 NE107 sshd[15182]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 100 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 4
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_authserv: service=ssh-connection, style=
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 4 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 10
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 11
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 10 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 53 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: userauth_send_banner: sent [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: input_userauth_request: try method none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ensure_minimum_time_since: elapsed 19.097ms, delaying 7.623ms (requested 6.680ms) [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: eci_userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 51 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 50 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: attempt 1 failures 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: input_userauth_request: try method keyboard-interactive [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: keyboard-interactive devs [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: auth2_challenge: user=root devs= [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: auth2_challenge_start: devices pam [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: kbdint_next_device: devices <empty> [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_init_ctx [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 104 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 105 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 104
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pam_init_ctx
Feb 12 12:06:11 NE107 sshd[15182]: debug3: PAM: sshpam_init_ctx entering
Feb 12 12:06:11 NE107 sshd[15182]: debug2: sshpam_init_ctx: auth information in SSH_AUTH_INFO_0
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 105
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 104 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_query [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 106 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 107 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 106
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pam_query
Feb 12 12:06:11 NE107 sshd[15182]: debug3: PAM: sshpam_query entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ssh_msg_recv entering
Feb 12 12:06:11 NE107 sshd[15184]: debug3: PAM: sshpam_thread_conv entering, 1 messages
Feb 12 12:06:11 NE107 sshd[15184]: debug3: ssh_msg_send: type 1
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 107
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_query: pam_query returned 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15184]: debug3: ssh_msg_recv entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 60 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ensure_minimum_time_since: elapsed 13.171ms, delaying 0.189ms (requested 6.680ms) [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: Postponed keyboard-interactive for root from 10.7.90.199 port 59876 ssh2 [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: Connection closed by authenticating user root 10.7.90.199 port 59876 [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: debug1: do_cleanup [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: debug1: monitor_read_log: child log fd closed
Feb 12 12:06:18 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:18 NE107 sshd[15182]: debug1: do_cleanup
Feb 12 12:06:18 NE107 sshd[15182]: debug1: PAM: cleanup
Feb 12 12:06:18 NE107 sshd[15182]: debug3: PAM: sshpam_thread_cleanup entering
Feb 12 12:06:18 NE107 sshd[15182]: debug1: Killing privsep child 15183
krb5配置文件
cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
clockskew = 600
default_realm = EXAMPLE.COM
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kdcserver.example.com
admin_server = kdcserver.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
GSSAPIAuthentication 在客户端(SSH)和服务(SSHD)配置上均设置为是。
在查看 SSH 客户端调试日志时,我注意到使用的身份验证器是公钥,键盘交互仅当不使用 gssapi-with-mic 时(我相信它用于 kerberos,如果我错了,请纠正我)。
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
有人可以帮忙分析日志并指出为什么 Kerberos 登录不起作用吗?
谢谢!