1.背景:公司的kerberos认证使用了很久,但是最近新上的一批服务器无法直接免密登录,需要输入密码。此问题查询了将近一个礼拜后,终于得到解决。
2.说明:kerberos的系统组成有至少三部分。1.ServerA (kdc kerberos-admin(kerberos服务端)) 2.ServerB (client(kerberos user),所有用户可以通过这个服务器从服务端索要凭据)。 3.ServerC(服务器,需要在server端进行注册,才能获得免密登录)。
3.问题现象:跳板机go命令登录设备,要求输入密码。
尝试1:检查ServerC上检查:
确保kerberos安装正常(krb5-config,krb5-locales,krb5-multidev,krb5-user,libgssapi-krb5-2,libkrb5-26-heimdal,libkrb5-3,libkrb5-dev,libkrb5support0,libpam-krb5),
确认kerberos 配置文件 /etc/krb5.conf配置文件正确。
确保服务器名和域注册时产生的/etc/krb5.keytab。
检查允许登录的.k5login文件。
检查/etc/ssh/ssh_config中的配置 HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes UserKnownHostsFile /dev/null StrictHostKeyChecking no
检查/etc/ssh/sshd_config中的配置KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes
检查ServerA ServerB ServerC时间是否同步,时间相差不能超过5分钟。
检查/etc/hosts的配置,是否正确。 ------------这个问题的原因在这里。
尝试2:重新生成票据:
由于多次认证失败,我们的尝试有,在ServerA上,即kdc服务器上将服务器注册票据删掉,重新生成/etc/krb5.keytab,并更新到设备对应位置。并没有解决该问题。
尝试3:抓包:
在ServerB上使用wireshark抓包以及ServerC上抓包,可以看到ServerB和ServerC建联后,经过一些协商后发起KRB5的协议请求到ServerA上去索要服务器的凭证。然后再继续进行交互。
通过与正常登录的服务器对比,发现并没有明显错误。只不过发现登录失败的时候,交互数据比较少。没有发现具体问题。
尝试4:登录日志:查看tailf /var/log/auth.log里面关于登录的日志。
正常的日志:
有问题的日志:
可以确定是ServerC断认证票据失败导致无法免密登录。
尝试5:ssh debug
在ServerC上运ssh的debug命令 /usr/sbin/sshd -d -p 2222 在ServerB上运行登录命令ssh -p2222 -vv phenix@ServerC
debug内容分别为:ServerC端:
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='2222' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from ServerB IP port 35940 on ServerC IP port 2222 debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1.3 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.3 pat OpenSSH_5* compat 0x0c000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 debug1: permanently_set_uid: 104/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client->server aes128-ctr hmac-md5 none [preauth] debug1: kex: server->client aes128-ctr hmac-md5 none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user phenix service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "phenix" debug1: PAM: setting PAM_RHOST to "ServerB IP" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user phenix service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 1 failures 0 [preauth] debug1: Unspecified GSS failure. Minor code may provide more information No key table entry found matching host/localhost@ debug1: userauth-request for user phenix service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 2 failures 0 [preauth] debug1: userauth-request for user phenix service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 3 failures 0 [preauth] debug1: userauth-request for user phenix service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 4 failures 0 [preauth] ^C
OpenSSH_5.9p1 Debian-5ubuntu1.3, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to ServerC IP port 2222. debug1: Connection established. debug1: identity file /home/users/liyq/.ssh/id_rsa type -1 debug1: identity file /home/users/liyq/.ssh/id_rsa-cert type -1 debug1: identity file /home/users/liyq/.ssh/id_dsa type -1 debug1: identity file /home/users/liyq/.ssh/id_dsa-cert type -1 debug1: identity file /home/users/liyq/.ssh/id_ecdsa type -1 debug1: identity file /home/users/liyq/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: RSA 24:23:80:46:bf:14:f1:dc:50:5c:55:8f:d7:83:43:c3 debug1: checking without port identifier Warning: Permanently added '[ServerC]:2222,[ServerC IP]:2222' (RSA) to the list of known hosts. debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/users/liyq/.ssh/id_rsa ((nil)) debug2: key: /home/users/liyq/.ssh/id_dsa ((nil)) debug2: key: /home/users/liyq/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Trying private key: /home/users/liyq/.ssh/id_rsa debug1: Trying private key: /home/users/liyq/.ssh/id_dsa debug1: Trying private key: /home/users/liyq/.ssh/id_ecdsa debug2: we did not send a packet, disable method debug1: Next authentication method: password 等待输入密码尝试登录。
No key table entry found matching host/localhost@
说明ServerC端的系统名称有问题。
此问题借鉴出处 http://serverfault.com/questions/315412/openssh-kerberos-sso-no-key-table-entry-found-for-host-localhost-localdomain
hostname issue
hostname -f on kerberos.monzell.com
should return: kerberos.monzell.com
should not return: localhost.localdomain
hostname问题还可以详细查看这里了解。
http://blog.csdn.net/yuanchao99/article/details/22862563
至此发现问题:ServerC配置的/etc/hosts 是有问题的。
错误配置信息
正确配置信息
问题解决。
综上:通过ServerB登录ServerC端时要校验的东西很多,包括 来访用户是否在.k5login中,ServerC名称是否和票据的内容一致,ServerC的域名称是不是和/etc/krb5.conf里面的域相同。