[Freeipa-users] Permission Denied
Simo Sorce
simo at redhat.com
Thu Sep 12 17:59:49 UTC 2013
On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
>
> > Yes it is, but I need to see also what you get on the successfull ssh
> > case, klist is all I need to see, no other output.
> >
> > Also does it work all the time if you use the command
> >
> > ssh -K dean at desktop2 ?
you did not try the above ^^ :-)
> [dean at ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/HUNTER.ORG at HUNTER.ORG
>
> [dean at ipa2 ~]$ ssh dean at desktop2
> Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
>
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_1440800001)
>
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
>
> [dean at ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/HUNTER.ORG at HUNTER.ORG
> 09/12/13 11:15:29 09/13/13 11:14:40
> host/desktop2.hunter.org at HUNTER.ORG
>
> [dean at ipa2 ~]$ su -
> Password:
>
> [root at ipa2 ~]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>
> [root at ipa2 ~]# ssh dean at desktop2
> dean at desktop2's password:
> Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org
> [dean at desktop2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktrhI7WX
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:17:40 09/13/13 11:17:39 krbtgt/HUNTER.ORG at HUNTER.ORG
> 09/12/13 11:17:40 09/13/13 11:17:39 nfs/ipa2.hunter.org at HUNTER.ORG
>
> [dean at desktop2 ~]$ logout
> Connection to desktop2 closed.
>
> [root at ipa2 ~]# logout
>
> [dean at ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/HUNTER.ORG at HUNTER.ORG
> 09/12/13 11:15:29 09/13/13 11:14:40
> host/desktop2.hunter.org at HUNTER.ORG
>
> [dean at ipa2 ~]$ ssh dean at desktop2
> Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org
>
> [dean at desktop2 ~]$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_1440800001)
>
> [dean at desktop2 ~]$ logout
> Connection to desktop2 closed.
>
> [dean at ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktH9faWP
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/HUNTER.ORG at HUNTER.ORG
> 09/12/13 11:15:29 09/13/13 11:14:40
> host/desktop2.hunter.org at HUNTER.ORG
>
> reboot ....
>
> [dean at ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktLOSJxT
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/HUNTER.ORG at HUNTER.ORG
>
> [dean at ipa2 ~]$ ssh -k dean at desktop2
> Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
>
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_1440800001)
>
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
>
> [dean at ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/1440800001/krb5cc/tktLOSJxT
> Default principal: dean at HUNTER.ORG
>
> Valid starting Expires Service principal
> 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/HUNTER.ORG at HUNTER.ORG
> 09/12/13 11:24:43 09/13/13 11:23:56
> host/desktop2.hunter.org at HUNTER.ORG
>
However here is the exact explanation of what is going on.
The first time you ssh in you are not using password authentication but
SSO (GSSAPI auth) *however* you are not delegating credentials to
desktop2 (-K option).
What this means is that ssh can allow you in because you have a valid
ticket, but once you alnd of the cmahine there are no credentials
avaliable there locally so the NFS client has no way to authenticate you
to the NFS server.
Later on when you do the su - and the ssh you are doing password
authentication instead. *that* is the key difference, the fact that you
do su - is a red herring and only causes you to not have credentials to
use and makes ssh fall back to password authentication.
you can obtain the same effect calling kdestroy instead of su - or
telling ssh to not use GSSAPI for auth.
Anyway when you authenticate with a password you give the target system
your password which it will use to obtain a ticket for you and it places
the ticket in the DIR:/run/user/... directory.
There the NFS client can find it and uses it to authenticate your user
to the NFS Server, so you can access the home directory no problem.
The second time you do a straight ssh with GSSAPI auth (no password
requested) it works because the cache generated with the previous
attempt hasn't been removed, so the NFS client still finds it.
Finally it starts failing again after reboot because /run/user it a
tmpfs and gets wiped at reboot.
Bottom line: if you need credentials on the target system (and you need
them because you are using kerberized NFS for homes) you either use ssh
-K dead at desktop2 so that you forward credentials each time, or you force
your client to use password authentication so the target system can
fetch credentials on its own/
HTH, Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list