Bug 162096 - Configuring kerberos authentication.
Configuring kerberos authentication.
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-29 16:23 EDT by Dave English
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-01 13:00:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave English 2005-06-29 16:23:08 EDT
Configuring kerberos authentication.
sshd ask for "Password: Response:". 
Openssh just authenticate via the kerberos ticket, pass on the ticket to the
remote host/s  but this is not the case
Comment 1 Tomas Mraz 2005-06-30 03:16:10 EDT
What exact client and server versions of openssh do you use?
Comment 2 Dave English 2005-06-30 10:27:18 EDT
rpm -qa | grep ssh
openssh-server-3.9p1-8.RHEL4.4
openssh-3.9p1-8.RHEL4.4
openssh-clients-3.9p1-8.RHEL4.4
Comment 3 Tomas Mraz 2005-06-30 10:34:23 EDT
You're really terse.

Do you connect from RHEL4 machine to another RHEL4 machine?

Do you have GSSAPIAuthentication yes in both ssh_config and sshd_config files?
Comment 4 Dave English 2005-06-30 11:10:02 EDT
yes in both

grep GSSAPIAuthentication ssh*config

ssh_config:     GSSAPIAuthentication yes
sshd_config:GSSAPIAuthentication yes
Comment 5 Dave English 2005-06-30 11:12:00 EDT
Do you connect from RHEL4 machine to another RHEL4 machine  YES

With both the same rev
 
2.6.9-11.ELsmp #1 SMP Fri May 20 18:25:30 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux
Comment 6 Tomas Mraz 2005-06-30 14:48:30 EDT
Hmm I cannot reproduce it here, do you have correctly set-up your
/etc/krb5.keytab with the server key?

Also if you want as a paying customer proper response from Red Hat you should
use the Issue Tracker for reporting problems with Red Hat Enterprise Linux.
Comment 7 Dave English 2005-07-01 11:15:49 EDT
Yes when I do a strings the file it is fine, right hosts name, domain / realm
Comment 8 Tomas Mraz 2005-07-01 11:48:37 EDT
There can be problems with the host name resolution (is you host multihomed?).

Could you attach here your krb5.conf file, klist output of your ticket and
getprinc output from kadmin for the host principal of the sshd server machine?
Comment 9 Dave English 2005-07-01 11:55:55 EDT
cat /etc/krb5.conf
[libdefaults]
        ticket_lifetime = 600
        default_realm = XXX.COM
        default_tgs_enctypes = des-cbc-crc des-cbc-md5 des3-hmac-sha1
        default_tkt_enctypes = des-cbc-crc des-cbc-md5 des3-hmac-sha1
        clockskew = 600
        forwardable = true

[realms]
        XXX.COM = {
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                admin_server = xxx.xxx.xxx.xxx:749
                default_domain = XXX.COM
        }

[domain_realm]
        .XXX.com = XXX.COM
        XXX.com = XXX.COM

[kerbnet-config]
   version = 1.0
   symlink-name = /usr/kerberos/kerbnet

[logging]
        default = SYSLOG:DEBUG:AUTH

[appdefaults]
    telnet = {
        forwardable = true
        forward = true
        encrypt = false
        autologin = true
    }
    rlogin = {
        forwardable = true
        forward = true
        encrypt = true
    }
    rsh = {
        forwardable = true
        forward = true
        encrypt = true
    }
    rcp = {
        encrypt = true
    }
    pam = {
        forwardable = true
    }
    login = {
        krb5_run_aklog = false
        krb5_get_tickets = true
        krb4_get_tickets = false
        krb4_convert = false
    }



Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: eng007@XXX.COM

Valid starting     Expires            Service principal
07/01/05 11:50:58  07/01/05 21:50:58  krbtgt/XXX.COM@XXX.COM
        renew until 07/02/05 11:50:56
07/01/05 11:51:01  07/01/05 21:50:58  host/XXXX.XXXXX.XXXXX.com@XXXX.COM
        renew until 07/02/05 11:50:56


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Comment 10 Tomas Mraz 2005-07-01 13:00:23 EDT
Hmm... there doesn't seem to be any obvious problems with the configuration,
however there still can be a problem with the service key.

As I cannot reproduce the problem here, I'm closing this bug for now as
worksforme. But you should use the paid support issue tracker to report the
problem so it can be investigated more. Please point them to this bug report.
Thank you.

Note You need to log in before you can comment on or make changes to this bug.