0

I have a Kerberos server and a Kerberos client on one Realm. Both of these machines have OpenSSH Server and Client installed and configured in the same way to use Kerberos GSSAPI authentication.

I can easily connect from the client to the server but not from the server to the client. I can't find the reason why this isn't working, as it is functional in one direction.

Here is a portion of the logs I am getting from SSH:

debug1: KEX done [preauth]
debug1: userauth-request for user john service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "john"
debug1: PAM: setting PAM_RHOST to "192.168.0.1"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user john service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for john from 192.168.0.1 port 46994 ssh2 [preauth]
debug1: Got no client credentials
Failed gssapi-with-mic for john from 192.168.0.1 port 46994 ssh2
debug1: userauth-request for user john service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
Bnr
  • 33
  • 5
  • Does the connecting user actually have Kerberos tickets available (is there a 'krbtgt' in `klist`)? There is no automatic machine-level trust in Kerberos. – user1686 Aug 03 '22 at 12:16
  • @user1686 Yes, I initialized the connecting user using kinit on the server and got a TGT, then I try to connect from the server to the client and even get a service ticket using ```klist```. However, the connection is denied... – Bnr Aug 04 '22 at 16:47

1 Answers1

1

One option is to cofigure sshd_conf and ssh_conf file to use kerberos as ssh_config by client and sshd_conf is used by server.
With that option it is necessary to allow the users to login into the system creating .k5login file to home directory.

Yunnosch
  • 26,130
  • 9
  • 42
  • 54
Aalish Kshetry
  • 21
  • 3
  • sshd_conf is configured on the server and ssh_conf is configured on the client and the server. The connection is working only when I connect from the client. That means my server sshd_conf is well configured and the client ssh_conf is well configured too. As my server ssh_conf is the same than the client, I don't undertsand why it is not working. – Bnr Sep 22 '22 at 09:30
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 03 '22 at 16:29
  • Verify you are getting ticket from kerberos server. And verify the presence of keytab file to ssh server. Also make sure ssh server is registered in Kerberos database. Please use kinit and verify the presence of tickets. If the ticket for ssh server hasn't been provided, make sure ssh server is registered in kerberos database. It seems like your ssh server is not registered with kerberos server. Please reach me for further assistance – Aalish Kshetry Oct 09 '22 at 06:55