# kerberized ssh

## skwang

I recently installed mit-krb5 (kerberos 5) on my gentoo laptop.  For work we used kerberized logins so I can't ssh/telnet/etc. into any machine until I have a kerberos ticket.  Kerberos seems to work fine.  I can type

>kinit -f 

(my passphrase)

and receive a kerberos ticket. I can then use krlogin (which came with mit-krb5) and connect to the machines at work.

However, I canoot seem to use ssh into the same machines, even with a kerberos ticket.  When I do, I get prompted for a password (we don't have passwords on the machines, if you get the password challenge it means that kerberos didn't work, if kerberos *had* worked I would have automatically logged-in and gotten the command prompt.)

I've tried recompiling ssh (I use openssh) with the kerberos, skey, and pam flags all on (among others).  I didn't see any options in the /etc/ssh_config file that jumped out at me but I tried some flags (such as -A).  Nothing I seem to do allows my to ssh into the kerberized machines in question.

I havn't tried "regular" ssh yet, but on other machines (not my laptop) we use openssh without any problems so I don't believe that is the problem.

If anyone has any insights into what might be happening please let me know.  Thanks in advance.

----------

## moocha

```
grep -i kerberos /etc/ssh/sshd_config

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no
```

Are those set up? Note: sshd_config on the machine you're logging into, not plain ssh_config on the client machine.

----------

## skwang

moocha,

I can ssh into the kerberized machines in question from computers at work, but not from my laptop.  This seems to indicate the problem is wholy on my end and not theirs.

Thanks anyway for the response.

----------

## moocha

You're right, of course, has to be on that end then... I'll do some research and get back to the thread if I find anything out.

----------

## MPDoc

I'm having exactly the same problem at school.  Maybe someone has come up with some advice since May?  Thanks in advance.

----------

## MPDoc

Well, I've looked into it a bit more, and it looks like the version of openssh I have uses the keyword GSSAPIAuthenitcation to run kerberos.  It's still not working, but I think I'm making progress, and if I can figure out how to make it work, I'll put a post up here.

----------

## gyades

Have you managed to get anywhere on this?

I am having a similar problem -- I am trying to log into a kerberized linux cluster but cannot do so.  Well, I can, but

only using a cryptocard to generate one time passwords -- a pain in the neck to deal with.  I tried recompiling with 

USE="kerberos" emerge openssh

but that did not appear to do anything useful  -- actually it did get rid of an complaint that it didn't recognize GSSAPI

authentication that I had turned on in /etc/ssh/ssh_config (based on the last message in  the thread).  But  it still doesn't

work for me.

So I'm curious if you have any further ideas

----------

## gyades

In doing further research on this, I've managed to learn a little, but I'm not much closer to an actual

solution.  It looks like you need (in this case) to get the authentication method extenal-keyx  working.

A snippet from the  ssh -vvv  output from a machine that manages to make this work successfully:

--------------------------

11584: debug1: got SSH2_MSG_SERVICE_ACCEPT

11584: debug1: authentications that can continue: external-keyx,gssapi,keyboard-interactive

11584: debug3: start over, passed a different list external-keyx,gssapi,keyboard-interactive

11584: debug3: preferred external-keyx,gssapi,publickey,keyboard-interactive,password

11584: debug3: authmethod_lookup external-keyx

11584: debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password

11584: debug3: authmethod_is_enabled external-keyx

11584: debug1: next auth method to try is external-keyx

11584: debug2: userauth_external

11584: debug2: we sent a external-keyx packet, wait for reply

11584: debug1: ssh-userauth2 successful: method external-keyx

11584: debug1: channel 0: new [client-session]

--------------------------

Now for the end of a login attempt from the problem machine:

--------------------------

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/satish/.ssh/identity ((nil))

debug2: key: /home/satish/.ssh/id_rsa ((nil))

debug2: key: /home/satish/.ssh/id_dsa ((nil))

debug1: Authentications that can continue: external-keyx,gssapi,keyboard-interactive

debug3: start over, passed a different list external-keyx,gssapi,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 1

Press ENTER and compare this challenge to the one on your display: [44806544]

Enter the displayed response:

--------------------------

Where that last bit is it defaulting the cryptocard access.   Hmmm, so I hack my /etc/ssh/ssh_config file to have the line

PreferredAuthentications external-keyx

but that only yields

debug2: Unrecognized authentication method name: external-keyx

Variations on the config line that were suggested by web-searches didn't help.  But they did suggest that I need Steve

Wilkinson's external-keyx patches for openssh.  But where they may be found remains something of a mystery to me.

I suspect that if I can get that applied, then I will get somewhere.

----------

## adastra

I'm sorry to revive this old thread but did anyone ever get kerberized OpenSSH actually working?  I would really love to stop using my cryptocard too.

----------

## gyades

Well, I found a solution that works for me, but it's pretty specific to my situation, so you may not be so lucky.

I'm connecting to machines at Fermilab, which distributes a tarball that has a precompiled ssh client that works.  It's available at

ftp://ftp.fnal.gov/pub/fnal-kerberos-clientonly/current/

The the scp in this package doesn't work for me, but krcp (I forget which package it belongs to) does.  So I'm in a decent enough situation.

I did eventually find the patch, I mentioned at

http://www.sxw.org.uk/computing/patches/openssh.html

But having the fermilab client knocked this issue down enough on my priority list that I haven't bothered to figure out how to do a custom ebuild

to apply the patch.  If you're so inclined, you might want to look further into it.

----------

## adastra

 *Quote:*   

> I'm connecting to machines at Fermilab

 

Ha, so am I!  I'll look into this patch you found.  Maybe I could PM you and we could discuss this further.  Are there more of us who have eschewed the Fermi Linux for the goodness that is Gentoo and Portage?

----------

## adastra

I did manage to get that GSSAPI patch into a custom ebuild and emerge it but it made no difference.  Kerberos on OpenSSH seems to be just plain broken.

----------

## Cinquero

Anyone submitted a bug report, yet?

----------

## adastra

Well i haven't because I don't really know if it is "broken" or just won't work with the specific kerberos authentication method our lab has chosen.  I thought they were all the same, but now I have no idea.

----------

## Cinquero

According to the page at

http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html

it is likely that it is broken.

----------

## Cinquero

https://bugs.gentoo.org/show_bug.cgi?id=16824

Could that be the answer?

We have some machines here that successfully connect to FNAL computers using a debianized openssh version:

me@somehost:$ apt-cache show ssh-krb5 

Package: ssh-krb5

Priority: extra

Section: net

Installed-Size: 1700

Maintainer: Sam Hartman <hartmans@debian.org>

Architecture: i386

Source: openssh-krb5

Version: 3.8.1p1-7

Provides: rsh-client, ssh

Depends: libc6 (>= 2.3.2.ds1-4), libcomerr2 (>= 1.33-3), libkrb53 (>= 1.3.2), libpam0g (>= 0.76), libssl0.9.7, libwrap0, zlib1g (>= 1:1.2.1), debconf (>= 1.2.0), libpam-runtime (>= 0.76-14), debconf, adduser (>= 3.9), libpam-runtime (>= 0.76-14)

Suggests: ssh-askpass, xbase-clients, dpkg (>= 1.8.3.1), dnsutils, rssh

Conflicts: ssh, ssh-nonfree, ssh-socks, ssh2, sftp, rsh-client (<< 0.16.1-1)

Filename: pool/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7_i386.deb

Size: 706568

MD5sum: b3f9c6cd64eca310e6d49e55fc3e3922

Description: Secure rlogin/rsh/rcp replacement (OpenSSH with Kerberos)p

 This is the portable version of OpenSSH, a free implementation of

 the Secure Shell protocol as specified by the IETF secsh working

 group.

 .

 Ssh (Secure Shell) is a program for logging into a remote machine

 and for executing commands on a remote machine.

 It provides secure encrypted communications between two untrusted

 hosts over an insecure network.  X11 connections and arbitrary TCP/IP

 ports can also be forwarded over the secure channel.

 It is intended as a replacement for rlogin, rsh and rcp, and can be

 used to provide applications with a secure communication channel.

 .

 This version of OpenSSH has been compiled with patches enabling

 Kerberos authentication for protocol versions 1 and 2.

 This package provides both the ssh client and the sshd server.

me@somehost:$ ssh -v

OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-7, OpenSSL 0.9.7e 25 Oct 2004

usage: ssh [-1246AaCfghkKNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]

           [-D port] [-e escape_char] [-F configfile] [-i identity_file]

           [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]

           [-p port] [-R port:host:hostport] [user@]hostname [command]

----------

## Cinquero

Ok, I have a partial solution:

apply the debian ssh-krb5 diff file to openssh-3.8.1p1-r1 and you will be fine.

Unfortunately, server and client ssh versions must be identical, so using a newer one is likely to fail. (although I rather guess that this has to do with how the authentication service is called internally... regular openssh versions from 3.8.1+ always only use the service name gssapi-with-mic, whereas the debian diff includes support for 'gssapi'... that is REALLY awkward.)

================

ok, here is a rather useful solution:

http://omnibus.uni-freiburg.de/~stierm/d0/kerberos_linux_client/

----------

## gyades

 *Quote:*   

> 
> 
> ok, here is a rather useful solution:
> 
> http://omnibus.uni-freiburg.de/~stierm/d0/kerberos_linux_client
> ...

 

Alas, this link is now broken.  I used it successfully some time ago, but my laptop was recently stolen.  I have a new one, and am attempting to set up ssh again, but so far have not been successful.  I googled for the debian ssh diff that you mentioned, and I found it at http://packages.debian.org/stable/net/ssh-krb5

But looking at the file, it seems to apply to files not contained in the standard ebuild.  I suppose one could also grab openssh-krb5_3.8.1p1.orig.tar.gz, and I think that's what the solution above did (I can find the directory listing in the google cache, if not the actual files).  However, I haven't done much with custom ebuilds (i.e. almost nothing), so I don't really don't know how to modify it to do more than add some extra patches.

So if anyone either has a copy of the ebuild lying around that I can steal -- or if you can explain to me what is neccessary to get this working, I'd appreciate it.

----------

## Cinquero

https://stier.dynu.com/~myportage/net-misc/

----------

## gyades

Works like a charm

----------

## Cinquero

 *gyades wrote:*   

> Works like a charm

 

Just for the sake of my curiosity: is the standard ssh client in Gentoo also not able to connect to other Kerberos domains than Fermilab ones?

----------

## gyades

I don't have access to any other domains to test against.  But as a general rule, web searches for this issue only seem to point to FNAL.  So I'd guess  that's the problem is specific to Fermilab.

----------

