6

I try to login onto a server which only supports login with kerberos authentication. Here's what I try:

kinit [email protected]
aklog -c foo.org
ssh server

But then I'm asked again for a password.

Here's what I have in my ~/.ssh/config for the entry server (my /etc/ssh/ssh_config is empty):

Host server
    HostName someserver.foo.org
    User user
    ForwardX11 yes
    ForwardX11Trusted yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

According to colleagues, this (or something similar) is working for them. I can log onto other machines with kerberos tokens just fine. I assume it has something to do with my /etc/krb5.conf, but I do not know what to look for. I tried copying the /etc/krb5.conf from the server to my working station, but without success.

Here's part of the output if I run ssh -vvv server:

debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information


debug2: we sent a gssapi-with-mic packet, wait for reply

How can I login with my local kerberos token? What am I doing wrong?

pfnuesel
  • 5,702
  • 8
  • 35
  • 60
  • Can't you just create a key and put the public key in `~/.ssh/authorized_keys` on the server? `man ssh-keygen` – MikeA Oct 19 '16 at 23:02
  • @MikeA The server accepts only connections with a valid kerberos token. – pfnuesel Oct 19 '16 at 23:05
  • 1
    Try setting `GSSAPIAuthentication yes` in your `~/.ssh/config` file and retry. Also look at `PreferredAuthentications` setting and make sure you have `gssapi-with-mic` first – VenkatC Oct 20 '16 at 01:07
  • @VenkatC I tried both of these before, no success. – pfnuesel Oct 20 '16 at 09:24
  • From your ssh debug above, I do not see it's trying to use kerberos credentials anywhere. would you post ssh output with GSSAPIAuthentication, GSSAPIKeyExchange both set to yes ? also post klist output before ssh – VenkatC Oct 20 '16 at 13:23
  • @VenkatC Sorry, I somehow missed your second comment. I've updated the question now by adding `GSSAPIAuthentication yes` to the `~/.ssh/config` and the important part of the `ssh -vvv` command. – pfnuesel Oct 27 '16 at 13:51
  • The error "server not found in kerberos database" generally means that the host to which you're trying to connect does not have a valid `/etc/krb5.keytab` file. – larsks Oct 27 '16 at 14:09
  • @larsks Thanks. So do I understand correctly it's a problem on the server? I wonder why other people then can connect though. – pfnuesel Oct 27 '16 at 15:15
  • 1
    Actually, I'm confused now. Are you saying that your colleagues can log into the *same* server successfully? *And* you are able to successfully log into other servers using your Kerberos ticket? If you could update your question to be explicit about which situations are working (or not), that might help. – larsks Oct 27 '16 at 15:39
  • make sure DNS resolves properly for server `someserver.foo.org` - both forward and reverse lookup. This is important for kerberos functionality. Also clarify, if other users could log on to same server from the same client you are trying to connect. – VenkatC Oct 27 '16 at 17:36

2 Answers2

2

You probably need to add the server to the kerberos data base aka KDC by creating a principal for the machine itself.

If you are running Windows Active Directory with a KDC you can use the ktpass.exe to add the host to the KDC.

if you are running Windows or Linux Kerberos KDC you can use the ktutil command in a linux shell to at the principal to the kerberos database.

Blake Russo
  • 88
  • 1
  • 1
  • 7
1

It might be that NTPD service has gone down, Atleast in my case, when checked the status , service failed with logs having PANIC_STOP, try below steps-

  1. systemctl stop ntpd
  2. systemctl status ntpd
  3. Please take note of one of the servers in /etc/ntpd.conf
  4. ntpdate <ABOVE SERVER>
  5. systemctl start ntpd
RalfFriedl
  • 8,816
  • 6
  • 23
  • 34
satya vardhan
  • 23
  • 4
  • Some of the steps are not necessary, and it would make sense to first verify whether the time is actually wrong. – RalfFriedl May 14 '19 at 17:44