I followed the Oracle tutorial for configuring NIS and using Kerberos as the authentication mechanism. I believe I got the Realm and KDC configured and running correctly on a server that is running NIS, so ypserv
and ypbind
are running. On a Kerberos client I ran the following command successfully (note authconfig
is deprecated in favor of authselect
but still works):
authconfig --enablenis --enablekrb5 --krb5realm=SUBDOMAIN.OURDOMAIN.EDU --krb5adminserver=sub.sub.ourdomain.edu --krb5kdc=sub.sub.ourdomain.edu --update
So kinit admin@SUBDOMAIN.OURDOMAIN.EDU
works, when going from a Kerberos client to the KDC and Admin server which are the same. Here’s s a snip from /var/log/krb5kdc.log
:
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) x.x.x.x: ISSUE: authtime 1603133224, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@ourdomain.edu for krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU
klist
Ticket cache: KEYRING:persistent:6105:6105
Default principal: admin@SUBDOMAIN.OURDOMAIN.EDU
Valid starting Expires Service principal
10/19/20 14:57:43 10/20/20 14:57:39 krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU
renew until 10/19/20 14:57:43
But using ssh -K -vv
returns “Unspecified GSS failure
” but I at least log in.
ssh -K -vv myuser@sub.sub.ourdomain.edu
OpenSSH_8.3p1, OpenSSL 1.1.1g FIPS 21 Apr 2020
debug1: Reading configuration data /path/to/.ssh/config
debug1: /path/to/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/path/to/.ssh/sockets/myuser@sub.sub.ourdomain.edu-22" does not exist
debug2: resolving "sub.sub.ourdomain.edu" port 22
debug2: ssh_connect_direct
debug1: Connecting to sub.sub.ourdomain.edu [x.x.x.x] port 22.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sub.sub.ourdomain.edu:22 as 'myuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'sub.sub.ourdomain.edu' is known and matches the ECDSA host key.
debug1: Found key in /path/to/.ssh/known_hosts:33
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:6105)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /path/to/.ssh/id_rsa RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /path/to/.ssh/id_dsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa_sk
debug1: Trying private key: /path/to/.ssh/id_ed25519
debug1: Trying private key: /path/to/.ssh/id_ed25519_sk
debug1: Trying private key: /path/to/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
myuser@sub.sub.ourdomain.edu's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to sub.sub.ourdomain.edu ([150.108.64.156]:22).
debug1: setting up multiplex master socket
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [/path/to/.ssh/sockets/myuser@sub.sub.ourdomain.edu-22]
debug2: fd 3 setting TCP_NODELAY
debug1: control_persist_detach: backgrounding master process
debug2: control_persist_detach: background process is 126689
debug2: fd 4 setting O_NONBLOCK
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug2: set_control_persist_exit_time: schedule exit in 600 seconds
debug1: multiplexing control connection
debug2: fd 5 setting O_NONBLOCK
debug1: channel 1: new [mux-control]
debug2: set_control_persist_exit_time: cancel scheduled exit
debug2: mux_master_process_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug2: mux_master_process_alive_check: channel 1: alive check
debug2: mux_master_process_new_session: channel 1: request tty 1, X 1, agent 0, subsys 0, term "xterm", cmd "", env 2
debug1: channel 2: new [client-session]
debug2: mux_master_process_new_session: channel_new: 2 linked to control channel 1
debug2: channel 2: send open
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug2: channel_input_open_confirmation: channel 2: callback start
debug2: client_session2_setup: id 2
debug2: channel 2: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_ALL = C
debug2: channel 2: request env confirm 0
debug2: channel 2: request shell confirm 1
debug2: channel_input_open_confirmation: channel 2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
debug1: mux_client_request_session: master session id: 2
debug2: channel_input_status_confirm: type 99 id 2
debug2: PTY allocation request accepted on channel 2
debug2: channel 2: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 2
debug2: shell request accepted on channel 2
Running kinit
results in:
kinit: Client 'myuser@SUBDOMAIN.OURDOMAIN.EDU' not found in Kerberos database while getting initial credentials
and /var/log/krb5kdc.log
has:
CLIENT_NOT_FOUND: myuser@SUBDOMAIN.OURDOMAIN.EDU for krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU, Client not found in Kerberos database
I also looked at this Toolbox tutorial but I didn’t find anything there helped.
Also how can users who don’t have a Kerberos client, e.g,. their personal laptop login using Kerberos authentication? Will ssh -K
suffice?