我已经在“内部”(VirtualBox含义)networking上设置了两个虚拟机,一个是DNS服务器(dns1.example.com),另一个是KDC和Kerberospipe理服务器(kdc.example.com)。 默认和唯一的领域是EXAMPLE.COM。 两台机器都使用新安装的Debian Squeeze。
问题是:我可以通过kdc.example.com上的sdlogin到kdc.example.com,但是我无法通过dns1.example.com中的sshlogin。
在kdc.example.com上,debugging模式下的sshd说:
debug1: Unspecified GSS failure. Minor code may provide more information Wrong principal in request debug1: Got no client credentials debug3: mm_request_send entering: type 41 debug3: mm_request_receive entering debug1: userauth-request for user tom service ssh-connection method gssapi-with-mic debug1: attempt 2 failures 1 debug2: input_userauth_request: try method gssapi-with-mic debug1: userauth-request for user tom service ssh-connection method gssapi-with-mic debug1: attempt 3 failures 1 debug2: input_userauth_request: try method gssapi-with-mic 此时客户需要input密码。 一个由Wireshark处理的tcpdump文件显示已经有一些encryption数据包的交换,但我不能多扣除,因为它们是encryption的:)。 经过两天的谷歌search我卡住,并会感谢任何帮助。
当谈到Kerberos和朋友的时候,我还要感谢任何关于一般理智configurationdebugging策略的build议/链接/提示。 例如,我不知道在哪里寻找“错误的校长”有什么问题,服务器接受的是什么,而不是正确的。 事情告诉我真正的冒险还没有来:)。
以下是configuration和诊断输出。 希望我没有忘记任何东西。
kdc:~# cat /etc/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 [realms] EXAMPLE.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } kdc:~# kadmin.local -q 'listprincs' Authenticating as principal root/[email protected] with password. K/[email protected] host/[email protected] host/[email protected] host/[email protected] host/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] krbtgt/[email protected] root/[email protected] [email protected] kdc:~# cat /etc/ssh/sshd_config |grep '^[^#]' Port 22 ListenAddress 172.16.3.3 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
/etc/krb5.conf在kdc和dns1上都是相同的。
dns1:~$ cat /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true forwardable = true [realms] EXAMPLE.COM={ admin_server = kdc.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log
TGT是可转发的。 在SSH客户端上:
dns1:~$ klist -f Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 01/03/12 20:00:03 01/04/12 06:00:03 krbtgt/[email protected] renew until 01/04/12 20:00:00, Flags: FRIA 01/03/12 20:00:21 01/04/12 06:00:03 host/[email protected] renew until 01/04/12 20:00:00, Flags: FRAT
Keytab也似乎是确定的:
dns1:~# klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/[email protected] 5 host/[email protected] 5 host/[email protected] 5 host/[email protected]
DNS(包括PTR,TXT,SRV)按原样工作。
dns1:~# cat /var/cache/bind/db.example.com $ORIGIN example.com. $TTL 86400 @ IN SOA dns1.example.com. root.example.com. ( 2012010301 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS dns1.example.com. dns1 IN A 172.16.3.2 www IN A 172.16.3.8 mail IN A 172.16.3.9 fed IN A 172.16.3.100 kdc IN A 172.16.3.3 ;kds IN A 172.16.3.4 _kerberos TXT "EXAMPLE.COM" krb IN CNAME kdc _kerberos._udp SRV 0 0 88 kdc _kerberos-master._udp SRV 0 0 88 kdc _kerberos-adm._tcp SRV 0 0 749 kdc _kpasswd._udp SRV 0 0 464 kdc dns1:~# cat /var/cache/bind/db.3.16.172.in-addr.arpa $ORIGIN 3.16.172.in-addr.arpa. $TTL 86400 @ IN SOA dns1.example.com. root.example.com. ( 2012010102 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS dns1.example.com. 2 IN PTR dns1.example.com. 3 IN PTR kdc.example.com. 8 IN PTR example.com. 9 IN PTR mail.example.com.
发现这一点,而在一个新的服务器上编译完全相同的错误 – 指出我在正确的方向:)
在我的情况下,我有不正确的反向DNS – 当我更新这个并清除我的caching名称服务器的caching,它的工作。
我必须更加细心。 / etc / hosts中有一行保留127.0.0.1到FQDN(现在注释掉):
kdc:~$ cat /etc/hosts 127.0.0.1 localhost #127.0.0.1 kdc.example.com kdc 172.16.3.3 kdc.example.com kdc
清除数据库和密钥表中的相关主体并重新启动两个虚拟机之后,一切正常。 UFFF …
试试下面。
编辑/ etc / ssh / sshd_config
findPermitRootLogin no
更改PermitRootLogin =>是
命令> /etc/init.d/sshd restart