SSH login without password with kerberos

ssh authentication kerberos

12,612

Solution 1

You probably need to add the server to the kerberos data base aka KDC by creating a principal for the machine itself.

If you are running Windows Active Directory with a KDC you can use the ktpass.exe to add the host to the KDC.

if you are running Windows or Linux Kerberos KDC you can use the ktutil command in a linux shell to at the principal to the kerberos database.

Solution 2

It might be that NTPD service has gone down, Atleast in my case, when checked the status , service failed with logs having PANIC_STOP, try below steps-

systemctl stop ntpd
systemctl status ntpd
Please take note of one of the servers in /etc/ntpd.conf
ntpdate <ABOVE SERVER>
systemctl start ntpd

12,612

pfnuesel

Updated on September 18, 2022

Comments

pfnuesel almost 2 years
I try to login onto a server which only supports login with kerberos authentication. Here's what I try:
```
kinit [email protected]
aklog -c foo.org
ssh server
```
But then I'm asked again for a password.

Here's what I have in my ~/.ssh/config for the entry server (my /etc/ssh/ssh_config is empty):
```
Host server
    HostName someserver.foo.org
    User user
    ForwardX11 yes
    ForwardX11Trusted yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
```
According to colleagues, this (or something similar) is working for them. I can log onto other machines with kerberos tokens just fine. I assume it has something to do with my /etc/krb5.conf, but I do not know what to look for. I tried copying the /etc/krb5.conf from the server to my working station, but without success.

Here's part of the output if I run ssh -vvv server:
```
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information


debug2: we sent a gssapi-with-mic packet, wait for reply
```
How can I login with my local kerberos token? What am I doing wrong?
- MikeA over 7 years
  
  Can't you just create a key and put the public key in ~/.ssh/authorized_keys on the server? man ssh-keygen
- pfnuesel over 7 years
  
  @MikeA The server accepts only connections with a valid kerberos token.
- VenkatC over 7 years
  
  Try setting GSSAPIAuthentication yes in your ~/.ssh/config file and retry. Also look at PreferredAuthentications setting and make sure you have gssapi-with-mic first
- pfnuesel over 7 years
  
  @VenkatC I tried both of these before, no success.
- VenkatC over 7 years
  
  From your ssh debug above, I do not see it's trying to use kerberos credentials anywhere. would you post ssh output with GSSAPIAuthentication, GSSAPIKeyExchange both set to yes ? also post klist output before ssh
- pfnuesel over 7 years
  
  @VenkatC Sorry, I somehow missed your second comment. I've updated the question now by adding GSSAPIAuthentication yes to the ~/.ssh/config and the important part of the ssh -vvv command.
- larsks over 7 years
  
  The error "server not found in kerberos database" generally means that the host to which you're trying to connect does not have a valid /etc/krb5.keytab file.
- pfnuesel over 7 years
  
  @larsks Thanks. So do I understand correctly it's a problem on the server? I wonder why other people then can connect though.
- VenkatC over 7 years
  
  make sure DNS resolves properly for server someserver.foo.org - both forward and reverse lookup. This is important for kerberos functionality. Also clarify, if other users could log on to same server from the same client you are trying to connect.
RalfFriedl about 5 years

Some of the steps are not necessary, and it would make sense to first verify whether the time is actually wrong.