#19764 – Проблема аутентификации через GSS API сетевыми пользователями

Bug 19764 - Проблема аутентификации через GSS API сетевыми пользователями

Summary: Проблема аутентификации через GSS API сетевыми пользователями

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	openssh (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 normal
Assignee:	Evgeny Sinelnikov
QA Contact:	qa-sisyphus

URL:	https://bugzilla.altlinux.org/show_bu...
Keywords:

Depends on:
Blocks:

Reported:	2009-04-24 23:01 MSD by Evgeny Sinelnikov
Modified:	2017-12-22 21:26 MSK (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Evgeny Sinelnikov 2009-04-24 23:01:49 MSD

По мотивам продолжения проблемы #18183

Не работает прозрачная аутентификация с сетевыми пользователями (не присутствующими в /etc/passwd):

[mastersin@valhalla ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: mastersin@SARATOV.ETERSOFT.RU

Valid starting     Expires            Service principal
04/24/09 22:42:30  04/25/09 08:43:17 
krbtgt/SARATOV.ETERSOFT.RU@SARATOV.ETERSOFT.RU
        renew until 04/24/09 22:42:30
04/24/09 22:42:40  04/25/09 08:43:17 
host/server.saratov.etersoft.ru@SARATOV.ETERSOFT.RU
        renew until 04/24/09 22:42:30
[mastersin@valhalla ~]$ ssh server
Connection closed by 192.168.33.1

[root@server ~]# tail  /var/log/messages
......
Apr 24 22:51:32 server sshd[11352]: Connection from 192.168.33.5 port 38963
Apr 24 22:51:33 server sshd[11352]: Failed none for mastersin from 192.168.33.5
port 38963 ssh2
Apr 24 22:51:33 server sshd[11355]: Postponed gssapi-with-mic for mastersin
from 192.168.33.5 port 38963 ssh2
Apr 24 22:51:33 server sshd[11352]: Authorized to mastersin, krb5 principal
mastersin@SARATOV.ETERSOFT.RU (krb5_kuserok)
Apr 24 22:51:33 server sshd[11352]: Failed gssapi-with-mic for mastersin from
192.168.33.5 port 38963 ssh2
Apr 24 22:51:33 server sshd[11355]: fatal: Access denied for user mastersin by
PAM account configuration

В параметрах ssh_config клиента включено:
GSSAPIAuthentication yes

В параметрах sshd_config сервера включено:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

При подключении в DEBUG режиме можно увидеть, что проблема в вызове
pam_acct_mgmt() из auth-pam.c: do_pam_account()

Comment 1 Evgeny Sinelnikov 2009-04-24 23:07:17 MSD

Отдельно привожу DEBUG вариант:

$ ssh -v server -p2222
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/openssh/ssh_config
debug1: Applying options for *
debug1: Connecting to server [192.168.33.1] port 2222.
debug1: Connection established.
debug1: identity file /home/mastersin/.ssh/id_rsa type -1
debug1: identity file /home/mastersin/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes256-ctr hmac-md5 none
debug1: kex: client->server aes256-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'server' is known and matches the RSA host key.
debug1: Found key in /home/mastersin/.ssh/known_hosts:1
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
Connection closed by 192.168.33.1

[root@server ~]# /usr/sbin/sshd -ddDp2222
debug2: load_server_config: filename /etc/openssh/sshd_config
debug2: load_server_config: done config len = 372
debug2: parse_server_config: config /etc/openssh/sshd_config len 372
debug1: sshd version OpenSSH_5.2p1
debug1: read PEM private key done: type RSA
debug1: Checking fingerprint d8:e3:2a:eb:3c:e7:2e:43:52:32:70:0c:6e:f3:5a:b8 using blacklist file /etc/openssh/blacklist
open blacklist file /etc/openssh/blacklist failed: No such file or directory
Unable to check blacklist for host key d8:e3:2a:eb:3c:e7:2e:43:52:32:70:0c:6e:f3:5a:b8
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking fingerprint 96:80:0d:89:30:a2:a5:39:5a:4e:74:d6:69:82:bf:cf using blacklist file /etc/openssh/blacklist
open blacklist file /etc/openssh/blacklist failed: No such file or directory
Unable to check blacklist for host key 96:80:0d:89:30:a2:a5:39:5a:4e:74:d6:69:82:bf:cf
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddDp2222'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
socket: Address family not supported by protocol

debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.33.5 port 52448
debug1: Client protocol version 2.0; client software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: permanently_set_uid: 108/115
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes256-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes256-ctr hmac-md5 none
debug2: Network child is on pid 11502
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: monitor_read: 0 used once, disabling now
debug2: dh_gen_key: priv key bits set: 250/512
debug2: bits set: 2063/4096
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 2085/4096
debug2: monitor_read: 4 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug2: cipher_init: set keylen (16 -> 32)
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug2: cipher_init: set keylen (16 -> 32)
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user mastersin service ssh-connection method none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 372
debug2: monitor_read: 6 used once, disabling now
debug2: input_userauth_request: setting up authctxt for mastersin
debug2: input_userauth_request: try method none
debug1: PAM: initializing for "mastersin"
debug1: PAM: setting PAM_RHOST to "valhalla.saratov.etersoft.ru"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug2: monitor_read: 3 used once, disabling now
Failed none for mastersin from 192.168.33.5 port 52448 ssh2
debug1: userauth-request for user mastersin service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
Postponed gssapi-with-mic for mastersin from 192.168.33.5 port 52448 ssh2
debug1: Got no client credentials
Authorized to mastersin, krb5 principal mastersin@SARATOV.ETERSOFT.RU (krb5_kuserok)
debug1: do_pam_account: called
Failed gssapi-with-mic for mastersin from 192.168.33.5 port 52448 ssh2
sshd: Access denied for user mastersin by PAM account configuration
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup

[root@server ~]# id mastersin
uid=65541(mastersin) gid=65537(netadmins) groups=65537(netadmins),2(daemon),10(wheel),100(users),109(fuse),503(vboxusers),528(admins)
[root@server ~]# getent passwd mastersin
mastersin:x:65541:65537:Evgeny Sinelnikov:/home/remote/mastersin:/bin/bash

Comment 2 Evgeny Sinelnikov 2009-04-24 23:10:54 MSD

Привожу также конфиг PAM:

[root@server ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth     required       pam_userpass.so
auth     include        system-auth-use_first_pass
auth     required       pam_nologin.so
session  required       pam_loginuid.so
account  include        system-auth
password include        system-auth
session  include        system-auth
[root@server ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
auth     sufficient     pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
auth     requisite      pam_succeed_if.so uid >= 500 quiet
auth     required       pam_krb5.so use_first_pass

account  sufficient     pam_tcb.so shadow fork
account  required       pam_krb5.so

password required       pam_passwdqc.so config=/etc/passwdqc.conf
password sufficient     pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb
password requisite      pam_succeed_if.so uid >= 500 quiet
#password required      pam_krb5.so use_authtok

session  optional       pam_tcb.so
session  optional       pam_krb5.so
#session  required      pam_mktemp.so
session  required       pam_limits.so
session  required       pam_mkhomedir.so silent skel=/etc/skel umask=0022
[root@server ~]# cat /etc/pam.d/system-auth-use_first_pass
#%PAM-1.0
auth     sufficient     pam_tcb.so shadow fork prefix=$2a$ count=8 nullok use_first_pass
auth     requisite      pam_succeed_if.so uid >= 500 quiet
auth     required       pam_krb5.so use_first_pass

password sufficient     pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb
password requisite      pam_succeed_if.so uid >= 500 quiet
password required       pam_krb5.so use_authtok

Comment 3 Dmitry V. Levin 2010-10-16 18:08:47 MSD

gssapi это не совсем моя епархия, попробуйте разобраться сами.

Comment 4 Vitaly Lipatov 2017-12-22 21:26:04 MSK

Уже давно работает.