[Freeipa-users] Keberos authentication - Unspecified GSS failure

Rob Crittenden rcritten at redhat.com
Wed Apr 16 22:13:48 UTC 2014 

David Kreuter wrote:
> Yesterday I installed the FreeIPA client on machine and after the
> installation the login with password worked fine. After that I tried to
> login with a valid Kerberos ticket and it failed. First i traced the ssh
> login:
>
> ssh -vvv david at test.example.com
> ---cut---
> debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80),
> debug2: key: /home/david/.ssh/id_dsa ((nil)),
> debug2: key: /home/david/.ssh/id_ecdsa ((nil)),
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic
> debug3: start over, passed a different list
> publickey,gssapi-keyex,gssapi-with-mic
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred:
> gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/david/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic
> debug1: Trying private key: /home/david/.ssh/id_dsa
> debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory
> debug1: Trying private key: /home/david/.ssh/id_ecdsa
> debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or
> directory
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
> ---cut---
>
> Then I enabled the log for SSH on the IPA client machine and faced
> following error:
>
> ---cut---
> Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david"
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to
> "10.100.3.2"
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh"
> Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user
> david service ssh-connection method gssapi-with-mic
> Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0
> Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure.
>   Minor code may provide more information\nNo key table entry found
> matching host/infra01@\n
> ---cut---
>
> Unspecified GSS failure.  Minor code may provide more information.No key
> table entry found matching host/infra01@\n.
>
> After that I tried to receive a ticket on the IPA client machine and
> everything worked fine:
>
> kinit <user>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: david@<realm>.INFO
>
> Valid starting     Expires            Service principal
> 04/16/14 23:24:51  04/17/14 23:24:47  krbtgt/...
> 04/16/14 23:25:51  04/17/14 23:24:47  host/...
>
> kvno -k /etc/krb5.keytab host/...
> host/...: kvno = 1, keytab entry valid
>
> So the Kerberos setup on the machine seems to be fine, but still the
> login SSH using Keberos is not working. GSSAPI is correctly enabled in
> the sshd configuration file. Any hint is highly appreciated. Thanks.
>

Seems like sshd looked for the wrong key. Run klist -kt /etc/krb5.keytab 
and see what principal is there. sshd didn't look for a FQDN according 
to your log.

rob

More information about the Freeipa-users mailing list