OpenSSH + Kerberos SSO: No key table entry found for host/localhost.localdomain

ssh kerberos single-sign-on gssapi scientific-linux
11,397

Could be a simple host name issue or a domain realm mapping issue.
(It's probably the first one, but for completeness here are both.)

hostname issue
hostname -f on kerberos.monzell.com
should return: kerberos.monzell.com
should not return: localhost.localdomain

domain realm mapping issue
dig -t txt _kerberos.kerberos.monzell.com
dig -t txt _kerberos.monzell.com

If you don't want to use /etc/krb5.conf should return
<record> <ttl num> IN TXT "MONZELL.COM".

However, given hosts file this is probably not the case.
/etc/krb5.conf should contain either:

[domain_realm]
.monzell.com MONZELL.COM

or

[domain_realm]
kerberos.monzell.com MONZELL.COM

Share:
11,397

Related videos on Youtube

Rilindo
Author by

Rilindo

I like clouds, I like automation, I like to automate clouds and secure them.

Updated on September 18, 2022

Comments

  • Rilindo
    Rilindo almost 2 years

    SSO not working with OpenSSH - I have not been able to get GSSAPIAuthentication to work with Kerberos. Everytime I attempted to login, I kept getting prompted for the password.

    During the troubleshooting, I initiated a debug here:

    [foster@kvm0007 ~]$ kinit
Password for [email protected]: 
[foster@kvm0007 ~]$ ssh -p222 -K [email protected] -vvv
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /home/users/foster/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to kerberos.monzell.com [192.168.15.100] port 222.
debug1: Connection established.
debug1: identity file /home/users/foster/.ssh/identity type -1
debug1: identity file /home/users/foster/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /home/users/foster/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/users/foster/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 499/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: put_host_port: [192.168.15.100]:222
debug3: put_host_port: [kerberos.monzell.com]:222
debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug1: checking without port identifier
debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/users/foster/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'kerberos.monzell.com' is known and matches the RSA host key.
debug1: Found key in /home/users/foster/.ssh/known_hosts:1
debug1: found matching key w/out port
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/users/foster/.ssh/identity ((nil))
debug2: key: /home/users/foster/.ssh/id_rsa ((nil))
debug2: key: /home/users/foster/.ssh/id_dsa (0x7fed559e5d30)
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.15.100.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1205
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1301
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1397
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1493
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/users/foster/.ssh/identity
debug3: no such identity: /home/users/foster/.ssh/identity
debug1: Trying private key: /home/users/foster/.ssh/id_rsa
debug3: no such identity: /home/users/foster/.ssh/id_rsa
debug1: Offering public key: /home/users/foster/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 528 bytes for a total of 2021
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

    As you can see, gssapi-with-mic is being sent, but no decreeable response.

    As it turns out, it appears that this is was being sent to the KDC:

    debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user foster service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "foster"
debug1: PAM: setting PAM_RHOST to "192.168.15.37"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 0
debug1: Unspecified GSS failure.  Minor code may provide more information
**No key table entry found for host/[email protected]**

debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 0
debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic
debug1: attempt 3 failures 0
debug1: userauth-request for user foster service ssh-connection method gssapi-with-mic
debug1: attempt 4 failures 0
debug1: userauth-request for user foster service ssh-connection method publickey
debug1: attempt 5 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 502/502 (e=0/0)
debug1: trying public key file /home/users/foster/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 502/502 (e=0/0)
debug1: trying public key file /home/users/foster/.ssh/authorized_keys2
debug1: restore_uid: 0/0

    Some research indicated it may be an issue with the host file, which I have as follows:

    [foster@sl6 ~]$ cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost
::1     sl6     localhost6.localdomain6 localhost6
192.168.15.100  kerberos.monzell.com kerberos
192.168.15.100 monzell.com
192.168.15.31   kvm0001.monzell.com     kvm0001

    I attempted to try to set the hostname manual on the host, with no effect.

    Here are the list of principals at the KDC:

    [root@sl6 ~]# kadmin.local
Authenticating as principal rilindo/[email protected] with password.
kadmin.local:  listprincs
K/[email protected]
[email protected]
host/[email protected]
host/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
[email protected]
rilindo/[email protected]
[email protected]

    Kerberos does most of the authentication. The user directory resides in OpenLDAP. Both the client and server are running Scientific Linux 6.1, with the client running as a VM on top of the server.

    I can confirm that Kerberos works outside of OpenSSH, as indicated here:

    [foster@kvm0007 ~]$ /usr/kerberos/bin/krsh -x -PN kerberos.monzell.com
This rlogin session is encrypting all data transmissions.
Last login: Sun Sep 25 21:18:20 from 192.168.15.37

    The user(s) in question have the following ssh config file:

    [foster@sl6 ~]$ cat .ssh/config 
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns yes

    What direction should I go from this point?

    EDIT: I knew I forgot to add something to this post. Here is the krb5.conf on the server:

    [root@sl6 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MONZELL.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 MONZELL.COM = {
  kdc = kerberos.monzell.com
  admin_server = kerberos.monzell.com
 }

[domain_realm]
 .monzell.com = MONZELL.COM
 monzell.com = MONZELL.COM

    And on the client:

    [rilindo@kvm0007 ~]$ cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MONZELL.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

 MONZELL.COM = {
  kdc = kerberos.monzell.com
  admin_server = kerberos.monzell.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 monzell.com = MONZELL.COM
 .monzell.com = MONZELL.COM
  • Rilindo
    Rilindo almost 13 years
    Are you referring to the client or server?
  • 84104
    84104 almost 13 years
    hostname -> server. domain realm mapping -> client(s). Note a server machine can have client processes, though that doesn't seem applicable here.
  • Rilindo
    Rilindo almost 13 years
    You're right. Kerberos is looking at the hostname of the server, not the DNS name. Changed the hostname made the error go away. I have a different error now, but I'll post that later. :}

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Wrong principal in request (SSH/ GSSAPI/Kerberos/Debian)
problems creating a keytab file on win server
How to force kerberos to use in memory credential cache?
MIT Kerberos keeps asking for password when authenticating to OpenSSH
How to get Service Token from Kerberos using SSPI
How to verify kerberos token?
GSSException: Message stream modified (41)
Java Kerberos authentication seems to work, still gets rejected
SSH login without password with kerberos
How to install Kerberos client on Windows