[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

krb5 ticket forwarding

Hello,

I'm quite new to kerberos, and I'm desparately trying to get krb5 ticket 
forwarding running. I'm running a heimdal 0.6.3 KDC and  have set up ssh and 
pam (with afs) on a couple of nodes. The nodes are running Scientific Linux. 
When I ssh into one of these nodes I'm being asked for a passwd, it lets me 
in and I  get all credentials that I requested, that is krb5, krb4 and AFS.  
Fine. When I try to ssh to another node, krb5 authentication succeeds, but 
the kerberos 5 ticket is not being forwarded altough all the others are. I 
have tried a lot of things now, but all without success. Below I append all 
relevant logs. 

Can anybody point me to what could be wrong ? Is this maybe an ssh problem ?

many many thank's in advance,
Ulrich 

-bash-2.05b$ ssh opteron005 -v -v -v -1
OpenSSH_3.6.1p2-CERN20030917, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /home/schwicke/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to opteron005 [192.168.164.95] port 22.
debug1: Connection established.
debug1: identity file /home/schwicke/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version 
OpenSSH_3.6.1p2-CERN20030917
debug1: match: OpenSSH_3.6.1p2-CERN20030917 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2-CERN20030917
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /home/schwicke/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/schwicke/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'opteron005' is known and matches the RSA1 host key.
debug1: Found key in /home/schwicke/.ssh/known_hosts:1
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos v5 authentication.
debug3: Trying to reverse map address 192.168.164.95.
debug1: Kerberos v5 authentication accepted.
debug1: Kerberos v5 TGT forwarding failed: KDC has no support for encryption 
type
debug1: Kerberos v4 TGT forwarded (schwicke@FZK.DE).
debug1: AFS token for cell ka.fzk.de forwarded.
debug1: Requesting pty.
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 127
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 0
debug3: tty_make_modes: 7 0
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22


Indeed, the kdc log shows:
2005-01-14T11:22:03 AS-REQ schwicke@FZK.DE from IPv4:192.168.164.95 for 
krbtgt/FZK.DE@FZK.DE
2005-01-14T11:22:03 AS-REQ schwicke@FZK.DE from IPv4:192.168.164.95 for 
krbtgt/FZK.DE@FZK.DE
2005-01-14T11:22:03 Using des-cbc-crc/des-cbc-crc
2005-01-14T11:22:03 Using des-cbc-crc/des-cbc-crc
2005-01-14T11:22:03 Requested flags: renewable, proxiable, forwardable
2005-01-14T11:22:03 Requested flags: renewable, proxiable, forwardable
2005-01-14T11:22:03 sending 525 bytes to IPv4:192.168.164.95
2005-01-14T11:22:03 sending 525 bytes to IPv4:192.168.164.95
2005-01-14T11:22:06 TGS-REQ schwicke@FZK.DE from IPv4:192.168.164.95 for 
krbtgt/FZK.DE@FZK.DE [forwarded]
2005-01-14T11:22:06 TGS-REQ schwicke@FZK.DE from IPv4:192.168.164.95 for 
krbtgt/FZK.DE@FZK.DE [forwarded]
2005-01-14T11:22:06 Server has no support for etypes
2005-01-14T11:22:06 Server has no support for etypes
2005-01-14T11:22:06 Server has no support for etypes
2005-01-14T11:22:06 Server has no support for etypes
2005-01-14T11:22:06 sending 126 bytes to IPv4:192.168.164.95
2005-01-14T11:22:06 sending 126 bytes to IPv4:192.168.164.95
2005-01-14T11:22:06 TGS-REQ (krb4) schwicke.@FZK.DE from IPv4:192.168.164.95 
for afs.@FZK.DE
2005-01-14T11:22:06 TGS-REQ (krb4) schwicke.@FZK.DE from IPv4:192.168.164.95 
for afs.@FZK.DE
2005-01-14T11:22:06 Lookup afs@FZK.DE succeeded
2005-01-14T11:22:06 Lookup afs@FZK.DE succeeded
2005-01-14T11:22:06 sending 114 bytes to IPv4:192.168.164.95
2005-01-14T11:22:06 sending 114 bytes to IPv4:192.168.164.95

The syslog file on the client I connect to shows the following lines:

Jan 14 11:22:03 opteron005 sshd[10816]: pam_krb5afs: authenticate error: 
Decrypt integrity check failed (-1765328353)
Jan 14 11:22:03 opteron005 sshd[10816]: pam_krb5afs: authentication fails for 
`schwicke'
Jan 14 11:22:03 opteron005 sshd(pam_unix)[10816]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=opteron005.fzk.de 
user=schwicke
Jan 14 11:22:06 opteron005 sshd[10816]: Accepted none for schwicke from 
192.168.164.95 port 33289
Jan 14 11:22:06 opteron005 sshd(pam_unix)[10818]: session opened for user 
schwicke by (uid=7597)


The libdefaults stanza in the kerberos config file looks like this:
[libdefaults]
        default_realm = FZK.DE
        ticket_lifetime = 90000
        default_etypes_des = des-cbc-crc 
        renew_lifetime = 1209600
        default_etypes = des-cbc-crc
        forwardable = yes
        krb4_get_tickets = yes