directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Backman <andr...@kontorsplatsen.se>
Subject Re: Kerberized SSH keeps asking for password
Date Thu, 04 Feb 2010 07:17:42 GMT
Thanks a lot for your reply! Somehow I missed that error.

I removed my keytab and created a new one using your guide. But it seams to be something wrong
with the keytab.

> ktutil 
ktutil:  addent -password -p host/sa-1.base.kplatsen.local -k 1 -e des-cbc-md5
Password for host/sa-1.base.kplatsen.local@KPLATSEN.LOCAL: (Entering the password stored in
the LDAP, for this entry)
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 host/sa-1.base.kplatsen.local@KPLATSEN.LOCAL
ktutil:  wkt
wkt: must specify keytab to write
ktutil:  wkt /etc/krb5.keytab
ktutil:  quit

> klist -5ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/sa-1.base.kplatsen.local@KPLATSEN.LOCAL (DES cbc mode with RSA-MD5) 

> kinit -k -t /etc/krb5.keytab host/sa-1.base.kplatsen.local@KPLATSEN.LOCAL
kinit: Password incorrect while getting initial credentials


/Andreas

----- Ursprungligt meddelande -----
Från: "Stefan Seelmann" <seelmann@apache.org>
Till: users@directory.apache.org
Skickat: onsdag, 3 feb 2010 20:43:13 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Ämne: Re: Kerberized SSH keeps asking for password

Hi Andreas,

oh, huge log ;-)

Andreas Backman wrote:
>  [08:59:49] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Responding with Authentication Service (AS) reply:
>  	messageType:           AS_REP
>  	protocolVersionNumber: 5
>  	nonce:                 790659966
>  	clientPrincipal:       andreas@KPLATSEN.LOCAL
>  	client realm:          KPLATSEN.LOCAL
>  	serverPrincipal:       krbtgt/KPLATSEN.LOCAL@KPLATSEN.LOCAL
>  	server realm:          KPLATSEN.LOCAL
>  	auth time:             20100203075949Z
>  	start time:            null
>  	end time:              20100204075942Z
>  	renew-till time:       null
>  	hostAddresses:         null
here you got the TGT...

>  [09:00:26] DEBUG [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService]
- Responding with Ticket-Granting Service (TGS) reply:
>  	messageType:           TGS_REP
>  	protocolVersionNumber: 5
>  	nonce:                 1265184026
>  	clientPrincipal:       andreas@KPLATSEN.LOCAL
>  	client realm:          KPLATSEN.LOCAL
>  	serverPrincipal:       host/sa-1.base.kplatsen.local@KPLATSEN.LOCAL
here you got the service ticket...

>  [09:00:46] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Integrity check on decrypted field failed (31)
>  org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity
check on decrypted field failed
...
>  [09:00:46] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
>  	explanatory text:      Integrity check on decrypted field failed
>  	error code:            31
>  	clientPrincipal:       null
>  	client time:           null
>  	serverPrincipal:       krbtgt/KPLATSEN.LOCAL@KPLATSEN.LOCAL
>  	server time:           20100203080046Z
I guess there is a problem with your keys. Could you please verify that 
your sshd keytab is ok? You could also try to run sshd in debug mode.

BTW: I was able to get a kerberized SSHD running (on localhost) and 
updated the guide [1].

Kind Regards,
Stefan


[1]http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-sshd.html




-- 
Med vänlig hälsning

Andreas Backman

031-352 33 03
0709-26 33 82

www.kontorsplatsen.se


Mime
View raw message