SSH login without password with kerberos
Solution 1
You probably need to add the server to the kerberos data base aka KDC by creating a principal for the machine itself.
If you are running Windows Active Directory with a KDC you can use the ktpass.exe to add the host to the KDC.
if you are running Windows or Linux Kerberos KDC you can use the ktutil command in a linux shell to at the principal to the kerberos database.
Solution 2
It might be that NTPD service has gone down, Atleast in my case, when checked the status , service failed with logs having PANIC_STOP, try below steps-
systemctl stop ntpd
systemctl status ntpd
- Please take note of one of the servers in
/etc/ntpd.conf
ntpdate <ABOVE SERVER>
systemctl start ntpd
Related videos on Youtube
![pfnuesel](https://i.stack.imgur.com/FRW2s.gif?s=256&g=1)
pfnuesel
Updated on September 18, 2022Comments
-
pfnuesel almost 2 years
I try to login onto a server which only supports login with kerberos authentication. Here's what I try:
kinit [email protected] aklog -c foo.org ssh server
But then I'm asked again for a password.
Here's what I have in my
~/.ssh/config
for the entryserver
(my/etc/ssh/ssh_config
is empty):Host server HostName someserver.foo.org User user ForwardX11 yes ForwardX11Trusted yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
According to colleagues, this (or something similar) is working for them. I can log onto other machines with kerberos tokens just fine. I assume it has something to do with my
/etc/krb5.conf
, but I do not know what to look for. I tried copying the/etc/krb5.conf
from the server to my working station, but without success.Here's part of the output if I run
ssh -vvv server
:debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information debug2: we sent a gssapi-with-mic packet, wait for reply
How can I login with my local kerberos token? What am I doing wrong?
-
MikeA over 7 yearsCan't you just create a key and put the public key in
~/.ssh/authorized_keys
on the server?man ssh-keygen
-
pfnuesel over 7 years@MikeA The server accepts only connections with a valid kerberos token.
-
VenkatC over 7 yearsTry setting
GSSAPIAuthentication yes
in your~/.ssh/config
file and retry. Also look atPreferredAuthentications
setting and make sure you havegssapi-with-mic
first -
pfnuesel over 7 years@VenkatC I tried both of these before, no success.
-
VenkatC over 7 yearsFrom your ssh debug above, I do not see it's trying to use kerberos credentials anywhere. would you post ssh output with GSSAPIAuthentication, GSSAPIKeyExchange both set to yes ? also post klist output before ssh
-
pfnuesel over 7 years@VenkatC Sorry, I somehow missed your second comment. I've updated the question now by adding
GSSAPIAuthentication yes
to the~/.ssh/config
and the important part of thessh -vvv
command. -
larsks over 7 yearsThe error "server not found in kerberos database" generally means that the host to which you're trying to connect does not have a valid
/etc/krb5.keytab
file. -
pfnuesel over 7 years@larsks Thanks. So do I understand correctly it's a problem on the server? I wonder why other people then can connect though.
-
VenkatC over 7 yearsmake sure DNS resolves properly for server
someserver.foo.org
- both forward and reverse lookup. This is important for kerberos functionality. Also clarify, if other users could log on to same server from the same client you are trying to connect.
-
-
RalfFriedl about 5 yearsSome of the steps are not necessary, and it would make sense to first verify whether the time is actually wrong.