[Samba] OpenSSH with Kerberos?

Rowland Penny rpenny at samba.org
Sat Oct 23 10:51:46 UTC 2021


On Sat, 2021-10-23 at 11:28 +0200, Joachim Lindenberg via samba wrote:
> Hello Rowland,
> thanks for giving it a try, but didn´t help so far. 
> Following 
> https://www.ibm.com/support/pages/debugging-sshd-without-impacting-existing-sshd-sessions
> I fired up a debug server and got
> debug1: Unspecified GSS failure.  Minor code may provide more
> information
> 
> Key table file '/etc/krb5.keytab' not found

Forget that Samba wiki page, it doesn't seem to work.
Did you set /etc/ssh/ssh_config on the ssh client as I showed, no other
lines ?
Did you set /etc/ssh/sshd_config on the ssh server as I showed, no
other lines ?

Did you set /etc/krb5.conf on both machines as I showed ?
Is the user known on both machines as a 'local' (does 'getent passwd
username' produce output ?) 

If all the above is correct, then running this:

ssh -K rpidc2.samdom.example.com -v

Should produce something like this:

rowland at devstation:~$ ssh -K rpidc2.samdom.example.com -v
OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /home/rowland/.ssh/config
debug1: /home/rowland/.ssh/config line 1: Applying options for
rpidc2.samdom.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 61: Applying options for
*.samdom.example.com
debug1: Connecting to rpidc2.samdom.example.com [192.168.0.4] port 22.
debug1: Connection established.
debug1: identity file /home/rowland/.ssh/id_rsa type 0
debug1: identity file /home/rowland/.ssh/id_rsa-cert type -1
debug1: identity file /home/rowland/.ssh/id_dsa type -1
debug1: identity file /home/rowland/.ssh/id_dsa-cert type -1
debug1: identity file /home/rowland/.ssh/id_ecdsa type -1
debug1: identity file /home/rowland/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/rowland/.ssh/id_ed25519 type 3
debug1: identity file /home/rowland/.ssh/id_ed25519-cert type -1
debug1: identity file /home/rowland/.ssh/id_xmss type -1
debug1: identity file /home/rowland/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1
debug1: match: OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 pat OpenSSH*
compat 0x04000000
debug1: Authenticating to rpidc2.samdom.example.com:22 as 'rowland'
debug1: Offering GSSAPI proposal: gss-gex-sha1-
toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-
group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-
eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-
group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:5IIf4cKddxvWfp20c2hPo6z5a+jtAmeGoHWrDHnw4nU
debug1: Host 'rpidc2.samdom.example.com' is known and matches the ECDSA
host key.
debug1: Found key in /home/rowland/.ssh/known_hosts:225
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/rowland/.ssh/id_ed25519 ED25519
SHA256:tTo2urUSsZgZufWKJvFCyI9uCrNikcpArBi0AvYvmHk agent
debug1: Will attempt key: /home/rowland/.ssh/id_rsa RSA
SHA256:L0GMmCkgo7Ik3ncxWUJdcGIfRAGWnENt2gdSyNKgA4c agent
debug1: Will attempt key: /home/rowland/.ssh/id_dsa 
debug1: Will attempt key: /home/rowland/.ssh/id_ecdsa 
debug1: Will attempt key: /home/rowland/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-
sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-
nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-
keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to rpidc2.samdom.example.com ([192.168.0.4]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l

The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  1 11:37:28 2021 from 192.168.0.49
SAMDOM\rowland at rpidc2:~$

As you can see the user can SSH from 'devstation' to 'rpidc2'

Rowland





More information about the samba mailing list