Ubuntu Security :: SSH To Server Using GSSAPI/Kerberos Prompts For Password When Using DNS Alias?
Jan 15, 2010
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:
batrick@menzoberranzan:~$ dpkg -l | grep krb ii krb5-config 2.2 Configuration files for Kerberos Version 5
I have a standard home set-up for my Ubuntu OS, and I would like to know whether its possible to cut out the repetitive prompts to enter the password, as when you connect to the internet or access files on a partition that's not home, or install new software.
I am trying to get kerberos ticket forwarding via SSH to work between RHEL and Ubuntu. It is working, when connecting from Ubuntu to RHEL, but not the other way round. (It also works between RHEL machines.) I have enabled the GSSAPI features in both SSH client and server, checked keytabs and verified, that my ticket is forwardable.
Any idea, how to get more information? Could it have s. th. to do with using allow_weak_crypto=yes in our krb5.conf? I have to use that, because our kerberos server only supports DES encryption.
i installed acronis on the server end , the problem is that i have disabled the graphical interface on the server i have a acronis management console on a windows system where the image is being created when i try to connect to the linux server it prompts for username and password after i give the credentials then i get this error
Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
LDAP NIS Kerberos
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
I am running Ubuntu 9.10. When I open Evolution, it prompts me for a password to the default keyring. I am not sure what this is, but I would like to not have to do this. I looked around in Evolution and did not see a way to have this password entered automatically. I searched this forum and it found no results. So I don't know if my problem is unique or not.
I know, I know, its a security feature. That doesn't make it any less annoying. I find the constant asking for my password to be every bit as irritating as Windows's UAC. When I want to use the terminal, or when I want to download something, I don't want to have to enter my password every time. I don't care that someone could theoretically do something to my computer in some way. I managed to stay out of harms way in windows with UAC off, I'm sure I can do it in ubuntu without the constant nagging of the password prompts. Its annoying and I am tired of dealing with it. Anyone know how to turn it off? I am really not looking for reasons to leave it on. Its the same with UAC: Yeah, it can keep you out of trouble. No, I don't want it on.
Story: i use Fedora9 and i want to set up a FTP server whithout creating a home dir for each and every user, i want them to share 1 home dir. All users are in one group.Problem: i write the following:
How to fix the problem that is happening with gksu. It prompts me for the administrative password. I don't (for advised security reasons) have a password associated with the root account.
The sudo works fine and accepts my sudo password. Gksu fails with "incorect password... try again." error.
This is a new install of the Ubuntu Server 10.10 x64 Maverick edition.
I'm having a remote server running SSH, I use the scp from my local computer like this:scp filename.txt username@IP:Port:home/usernameit asks for the password, I supply it, he doesn't accept it for 3 times and then I get "Permission denied (publickey,gssapi-with-mic,password)"
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
Server A: Generated RSA Key Server B: Added the RSA Key to authorized_keys list SFTP from A to B. Still prompts for password.
I will be sftp-ing both from Server B to Server A and 'A to B'. Sever B to Server A works fine. No prompting for password. But from A-B it this is what is happening sftp -v log...
debug1: Offering public key: ~InfAdmin-.ssh-id_rsa debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Trying private key: ~InfAdmin-.ssh-id_dsa debug1: Next authentication method: password InfAdminATServerB's password:
Why is this trying id_dsa private key? From Server B to Server A when I do the same, it does not say 'Trying Private Key -id_dsa' This is what it says
debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey).
How do I enforce that Server A does the same? Why is it trying the dsa private key when I have used RSA.
I just installed Ubuntu last night on a partition, and so far..There is one thing that may be a deal-breaker for me though: It seems that I am always prompted for a password!!!! When I first start my machine up...PASSWORD! O-K, once a day wouldn't be so bad...but if I let my display turn off while I'm away from the 'puter...I come back, and...PASSWORD?! Every time I try to do anything on the system....PASSWORD?!
I did a few things that I thought might solve the problem- I checked some boxes here and there, like "automatically log on" and made myself an administrator....but no matter what I do, I'm plagued by the password prompt 600 times a day and i can't take it!!!
Is there any way to stop this nonsense? This is WORSE than Windows UAC crapola!! (at least with that, you just have to click a button)- As much as I am loving Ubuntu....if there is no way to disable this password nonsense, I'm afraid I'll be heading back to Vista. I'm the only person who uses my computer (Although I think my dogs were playing on it while i was out fixing the tractor today...)- so I just need to know if there's a way to get rid of all this password-protected stuff?
We have an employee that left our place of business on bad terms and his computer has been locked out since. The comp runs Ubuntu 10.10.
We have followed the regular password reset methods online but the Kerberos password seems to be getting in the way. We have no idea was this password is and it seems impossible to work around. Does anybody know a way?
Were were about to gain access as the root user but cannot access other user accounts as the root user.
I have installed servers(10.04 LTS Server) with Kerberos + LDAP, now I can ssh to all those servers and login with kerberos principle. But when I want to change password, I got such error:
Code: Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: Password change rejected: Password not changed. Kerberos database constraints violated while trying to change password.
passwd: Authentication token manipulation error passwd: password unchanged I have search this issue but cannot any useful information. Would someone give me a direction?
It's been awhile since I've been on here. I suppose that can be considered a good thing, since I made the completely transfer to Ubuntu three months ago and everything's been running completely smoothly. Anyway, security is a pretty big thing to me. I usually change the root password, take sudo off (and default gksu, not gksudo), encrypt my hard drives, etc... One thing I also do is create a separate password for my login keyring. I don't mind having to enter one extra password at login, but it started prompting two times, and now three. It's the same password every time, so my question is..
I just took a job and the admin password for the AFS is missing. How do I find/reset this password? I have the root password for the machine it is installed on.
I am integrating my Unix box to the Windows AD using PAM_LDAP and Kerberos enabled. I was wondering, since Kerberos is enabled is there any point to enable SSL on my LDAP.conf? My understanding is that since Kerberos is enabled, therefore the username/password is sent securely there isn't any benefit of enabling SSL on the LDAP.conf? It's one of or another.
I have Ubuntu 10.04 configured to login with Kerberos (as in [url]). Everything works fine, except gnome-keyring-daemon:
-If I login with a local user, gnome-keyring-daemon works right. Besides, the keyring is automatically unlocked with the login password.
-If I login with a Kerberos user:
- The session startup is considerably slower.
- /var/log/auth.log says something like:
Code:
- If I execute a program that needs the gnome-keyring (like Evolution), is desperately slow, and it says:
Code:
Message: secret service operation failed: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
- If I kill all gnome-keyring-daemon (killall gnome-keyring-daemon), start a new one (gnome-keyring-daemon), and restart the application that uses the gnome-keyring, it works fine, but it ask me for the password to unlock the keyring (I think that this is the normal behaviour if gnome-keyring-daemon did not start before).
I have seen the configurations in /etc/pam.d and everything looks fine (with pam_gnome_keyring.so). Indeed, I think that if something was wrong here, the local user would not have the keyring unlocked automatically.
Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.
Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.
I have installed keberos on my suse machine, but after installation now I am not able to login in it even with the root password. I search over the internet but could not find the solution. What to do now and how to configure Kerberos on a local machine with only local users authentication. I mean client and server both are on the same machine.
I can't forward my kerberos credentials to a computing resource before connecting to the resource for which I have kerberos credentials. In other words, from my machine at work I obtain my ticket with kinit -f to a computing facility off in some lab somewhere.
Then, I want to ssh to another machine in another department (I don't have control over the krb5.conf file or this would have been easy) where I work. It is on this machine I want to be able to ssh,scp, etc to this far off lab. I've tried several options around this barrier, but I'm a total failure thus far. I checked that GSSAPIAuthentication is set to yes.
