Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

OpenSSH 4.3p2 -> 4.3p2; gssapi problem.

from [Edward Roper] Network Security [Permanent Link]
Subject: OpenSSH 4.3p2 -> 4.3p2; gssapi problem.
Date: Mon, 23 Jul 2007 20:17:03 -0700 
Hello,

In this particular case, I have an Active Directory KDC from which I have
created host principals and imported them into the proper keytabs. Both sides
of the connection are running OpenSSH_4.3p2 Debian-8ubuntu1, OpenSSL 0.9.8c 05
Sep 2006.

I'm not really sure what the issue here is. I've sucessfully managed to get
this sort of setup working previously with an MIT KDC.

I can sucessfully initiate sec=krb5* NFSv4 connections between the two hosts,
so I'm fairly confident that I managed to export the keytabs from AD properly,
though obviously they utilize the nfs/ principals rather than host/. The
exported keytabs use RC4-HMAC (The AD default).

I'm hoping that I've overlooked something straight forward that someone can
readily point out.

Thanks in advance,
Ed


On the "server" side the following options are set:
   KerberosAuthentication yes
   KerberosOrLocalPasswd yes
   KerberosTicketCleanup yes
   GSSAPIAuthentication yes
   GSSAPICleanupCredentials yes

On the "client" side the following options are set:
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   GSSAPITrustDns yes


From the client, I use "kinit" to obtain the ticket for my user. I then

attempt to SSH into the server. I believe the following is the relevant
portion of a debug session:

Client:
   debug1: Authentications that can continue:
   publickey,gssapi-keyex,gssapi-with-mic,password
   debug3: start over, passed a different list
   publickey,gssapi-keyex,gssapi-with-mic,password
   debug3: preferred
   gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
   debug3: authmethod_lookup gssapi-keyex
   debug3: remaining preferred:
   gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
   debug3: authmethod_is_enabled gssapi-keyex
   debug1: Next authentication method: gssapi-keyex
   debug1: No valid Key exchange context
   debug2: we did not send a packet, disable method
   debug3: authmethod_lookup gssapi-with-mic
   debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
   debug3: authmethod_is_enabled gssapi-with-mic
   debug1: Next authentication method: gssapi-with-mic
   debug2: we sent a gssapi-with-mic packet, wait for reply
   debug1: Delegating credentials
   debug1: Delegating credentials
   debug1: Miscellaneous failure
   Generic error (see e-text)

Server:
   debug1: userauth-request for user eroper service ssh-connection method none
   debug1: attempt 0 failures 0
   Failed none for eroper from 10.10.130.145 port 60646 ssh2
   Failed none for eroper from 10.10.130.145 port 60646 ssh2
   debug1: userauth-request for user eroper service ssh-connection method
   gssapi-with-mic
   debug1: attempt 1 failures 1
   Postponed gssapi-with-mic for eroper from 10.10.130.145 port 60646 ssh2
   debug1: Miscellaneous failure
   Key table entry not found

   debug1: Got no client credentials
   Failed gssapi-with-mic for eroper from 10.10.130.145 port 60646 ssh2
   debug1: userauth-request for user eroper service ssh-connection method
   gssapi-with-mic
   debug1: attempt 2 failures 2
   Failed gssapi-with-mic for eroper from 10.10.130.145 port 60646 ssh2
   debug1: userauth-request for user eroper service ssh-connection method
   publickey
   debug1: attempt 3 failures 2

On the server:

anubis:~# klist -k
   Keytab name: FILE:/etc/krb5.keytab
   KVNO Principal
   ---- ---------------------------------------------------------
      3 nfs/anubis.domain.com@DOMAIN.COM
      3 host/anubis.domain.com@DOMAIN.COM

On the client:

   Ticket cache: FILE:/tmp/krb5cc_10116
   Default principal: eroper@DOMAIN.COM

   Valid starting     Expires            Service principal
   07/23/07 12:35:15  07/23/07 22:35:15  krbtgt/DOMAIN.COM@DOMAIN.COM
           renew until 07/24/07 12:35:15
   07/23/07 12:35:34  07/23/07 22:35:15  host/anubis.domain.com@DOMAIN.COM
           renew until 07/24/07 12:35:15


   Kerberos 4 ticket cache: /tmp/tkt10116
   klist: You have no tickets cached
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  password expiring problem, Igor Trevisan
Next by Date:  Able to login with any password, Cartman
Previous by Thread:  password expiring problem, Igor Trevisan
Next by Thread:  Re: OpenSSH 4.3p2 -> 4.3p2; gssapi problem., Simon Wilkinson
Indexes:  [Date] [Thread] [Top] [All Lists]