web-dev-qa-db-ja.com

ケルバライズされたSSHが失敗しました

Kerberosでsshログインを認証したいのですが、失敗します。以下は、コマンドssh -vvv localhostを使用したsshデバッグ情報のスニペットです。

debug3: Wrote 80 bytes for a total of 1125
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address ::1.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1221
debug1: Delegating credentials
debug3: Wrote 1408 bytes for a total of 2629
debug1: Delegating credentials
debug3: Wrote 64 bytes for a total of 2693
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 2789
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 2885
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 2981
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey

これがサーバーのデバッグ情報です

debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 4220
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 784 bytes for a total of 805
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug3: mm_request_send entering: type 78
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug3: mm_request_send entering: type 78
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 152 bytes for a total of 957
debug2: dh_gen_key: priv key bits set: 121/256
debug2: bits set: 513/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 520/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x7f2b3128ca10(271)
debug3: mm_request_send entering: type 6
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 720 bytes for a total of 1677
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering
debug3: Wrote 48 bytes for a total of 1725
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address ::1.
debug2: parse_server_config: config reprocess config len 587
debug3: auth_shadow_acctexpired: today 15818 sp_expire -1 days left -15819
debug3: account expiration disabled
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: input_userauth_request: setting up authctxt for username
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: mm_inform_authrole entering
debug3: mm_request_send entering: type 4
debug2: input_userauth_request: try method none
debug3: Wrote 80 bytes for a total of 1805
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authrole: role=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user username service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 38
debug3: mm_request_receive_expect entering: type 39
debug3: mm_request_receive entering
debug3: monitor_read: checking request 38
debug3: mm_request_send entering: type 39
Postponed gssapi-with-mic for username from ::1 port 48263 ssh2
debug3: Wrote 48 bytes for a total of 1853
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 40
debug3: mm_request_receive_expect entering: type 41
debug3: mm_request_receive entering
debug3: monitor_read: checking request 40
debug1: Received some client credentials
debug3: mm_request_send entering: type 41
debug3: mm_request_receive entering
debug3: Wrote 192 bytes for a total of 2045
debug3: mm_request_send entering: type 44
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug3: monitor_read: checking request 44
debug3: mm_request_send entering: type 45
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 42
debug3: mm_request_receive_expect entering: type 43
debug3: monitor_read: checking request 42
debug3: mm_request_receive entering
debug3: mm_answer_gss_userok: sending result 0
debug3: mm_request_send entering: type 43
Failed gssapi-with-mic for username from ::1 port 48263 ssh2
debug3: mm_ssh_gssapi_userok: user not authenticated
debug3: Wrote 80 bytes for a total of 2125
debug3: mm_request_receive entering
debug1: userauth-request for user username service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: Wrote 80 bytes for a total of 2205
debug1: userauth-request for user username service ssh-connection method gssapi-with-mic
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: Wrote 80 bytes for a total of 2285
debug1: userauth-request for user username service ssh-connection method gssapi-with-mic
debug1: attempt 4 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: Wrote 80 bytes for a total of 2365
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 5 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 21
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 22
debug3: mm_request_receive entering
debug3: monitor_read: checking request 21
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x7f2b312988d0
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for username from ::1 port 48263 ssh2
debug3: mm_answer_keyallowed: key 0x7f2b312988d0 is not allowed
debug3: mm_request_send entering: type 22
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2445

Kerberosログからのテール:

Apr 23 21:35:40 hostname krb5kdc[25099](info): TGS_REQ (1 etypes {18}) 127.0.0.1: ISSUE: authtime 1366693210, etypes {rep=18 tkt=18 ses=18}, username/localhost@LOCALHOST for krbtgt/LOCALHOST@LOCALHOST

デバッグ情報から、メッセージが部分的に書き込まれているため、クライアントが失敗しているようです。サーバー側のデバッグ情報については、知識によって制限される有用な情報はあまり得られませんでした。この問題の原因は何ですか?

(Kerberosをデプロイしており、krbtgtチケットを正しく取得できます。また、Host/localhost @LOCALHOSTプリンシパルの資格情報を/etc/krb5.keytabに追加しました。デフォルトのレルムはLOCALHOSTです。sshdプリンシパルHost/localhost@LOCALHOSTユーザープリンシパルusername/localhost@LOCALHOST。他に確認することはありますか?私のプラットフォームはCentOS 6.4x86_64最終リリースです。sshdkdcの両方が同じマシン上にあります。つまり、localhostと私はlocalhostからlocalhostにログインしようとします)

ありがとう、よろしく!


更新:

gSSおよびKerberosに関連するsshd_config:

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
#UsePAM yes

それはかなり古い質問ですが、誰かがそれが完全に役立つと思うかもしれません。

まず、sshd_configを変更し、デフォルトのオプションUsePAM yesを使用します。

Centos/RedHatへのログオンは、Kerberos自体ではなく、PAMからSSSDを介して行われます。 SSHの場合も同じで、Kerberosよりも最初にPAM構成を調べ、SSSDに接続します。
Kerberos検証ドメインのため、ループバックではなく外部インターフェイスを使用することをお勧めします。その場合は、IPが/ etc/hostsのドメインと一致し、ホスト名が設定されていることを確認してください(ホスト名localhost.localdomainで、/ etc/sysconfig/networkに設定し、キーオプションHOSTNAME)
次のようなコマンドでPAMとSSSDを設定できます。

authconfig --update --enablelocauthorize --enablekrb5 --krb5realm LOCALHOST --krb5kdc localhost:88 --krb5adminserver localhost:749

SSSD設定には以下が含まれている必要があります。

krb5_realm = LOCALHOST
krb5_server = localhost:88 
auth_provider = krb5 

kerberos krb5.conf:

[realms]
 LOCALHOST = {
 kdc = localhost:88
 master_kdc = localhost:88
 admin_server = localhost:749
 default_domain = localhost
 }

Sshとの接続中にKerberosが何を言っているかを確認することもできます。以下はMIT Kerberosでのみ機能します。KerberosでDEBUGを有効にするには、次のような接続文字列を使用します。

[user@localhost]$ KRB5_TRACE=/dev/stdout ssh -vvv localhost

SSHDでデバッグを設定することも役立つ場合があります。動作中のインスタンスをシャットダウンする必要があります。1つの接続のみの場合よりも、debug /usr/sbin/sshd -d -d -dを指定してsshdを実行します。これにより、クライアントの切断後にsshdが停止することに注意してください

1