SSH with Kerberos Auth not working
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm trying to log in my Linux VM with SSH using kerberos authentication.
My Linux VM has successfully joined my AD using realmd / sssd method.
I changed my sshd_config settings to :
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
On the client side, Mac OS 10.12, .ssh/config contains :
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes
When i ssh my Linux VM with -v, here is the output :
OpenSSH_7.5p1, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /Users/alex/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to plex [192.168.1.23] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4p1 Debian-10+deb9u2
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u2 pat OpenSSH* compat
0x04000000
debug1: Authenticating to plex:22 as 'alex'
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:gLapxwxzqzjnfD7CZhnkEkcVeWRPUeh1XnCwKzV8YMs
debug1: Host 'plex' is known and matches the ECDSA host key.
debug1: Found key in /Users/alex/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Miscellaneous failure (see text)
The ticket isn't for us
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alex/.ssh/id_rsa
debug1: Trying private key: /Users/alex/.ssh/id_dsa
debug1: Trying private key: /Users/alex/.ssh/id_ecdsa
debug1: Trying private key: /Users/alex/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
And then it asks for password...
Am i doing something wrong ?
/etc/sssd/sssd/conf is :
[sssd]
domains = home.lan
config_file_version = 2
services = nss, pam, ssh
[domain/home.lan]
ad_domain = home.lan
id_provider = ad
access_provider = ad
krb5_realm = HOME.LAN
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
Thanx !!
debian ssh kerberos
asked Jan 5 at 18:40
jaydee99
12
add a comment |Â
up vote
0
down vote
favorite
I'm trying to log in my Linux VM with SSH using kerberos authentication.
My Linux VM has successfully joined my AD using realmd / sssd method.
I changed my sshd_config settings to :
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
On the client side, Mac OS 10.12, .ssh/config contains :
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes
When i ssh my Linux VM with -v, here is the output :
OpenSSH_7.5p1, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /Users/alex/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to plex [192.168.1.23] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4p1 Debian-10+deb9u2
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u2 pat OpenSSH* compat
0x04000000
debug1: Authenticating to plex:22 as 'alex'
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:gLapxwxzqzjnfD7CZhnkEkcVeWRPUeh1XnCwKzV8YMs
debug1: Host 'plex' is known and matches the ECDSA host key.
debug1: Found key in /Users/alex/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Miscellaneous failure (see text)
The ticket isn't for us
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alex/.ssh/id_rsa
debug1: Trying private key: /Users/alex/.ssh/id_dsa
debug1: Trying private key: /Users/alex/.ssh/id_ecdsa
debug1: Trying private key: /Users/alex/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
And then it asks for password...
Am i doing something wrong ?
/etc/sssd/sssd/conf is :
[sssd]
domains = home.lan
config_file_version = 2
services = nss, pam, ssh
[domain/home.lan]
ad_domain = home.lan
id_provider = ad
access_provider = ad
krb5_realm = HOME.LAN
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
Thanx !!
debian ssh kerberos
asked Jan 5 at 18:40
jaydee99
12
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to log in my Linux VM with SSH using kerberos authentication.
My Linux VM has successfully joined my AD using realmd / sssd method.
I changed my sshd_config settings to :
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
On the client side, Mac OS 10.12, .ssh/config contains :
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes
When i ssh my Linux VM with -v, here is the output :
OpenSSH_7.5p1, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /Users/alex/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to plex [192.168.1.23] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4p1 Debian-10+deb9u2
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u2 pat OpenSSH* compat
0x04000000
debug1: Authenticating to plex:22 as 'alex'
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:gLapxwxzqzjnfD7CZhnkEkcVeWRPUeh1XnCwKzV8YMs
debug1: Host 'plex' is known and matches the ECDSA host key.
debug1: Found key in /Users/alex/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Miscellaneous failure (see text)
The ticket isn't for us
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alex/.ssh/id_rsa
debug1: Trying private key: /Users/alex/.ssh/id_dsa
debug1: Trying private key: /Users/alex/.ssh/id_ecdsa
debug1: Trying private key: /Users/alex/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
And then it asks for password...
Am i doing something wrong ?
/etc/sssd/sssd/conf is :
[sssd]
domains = home.lan
config_file_version = 2
services = nss, pam, ssh
[domain/home.lan]
ad_domain = home.lan
id_provider = ad
access_provider = ad
krb5_realm = HOME.LAN
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
Thanx !!
debian ssh kerberos
asked Jan 5 at 18:40
jaydee99
12
I'm trying to log in my Linux VM with SSH using kerberos authentication.
My Linux VM has successfully joined my AD using realmd / sssd method.
I changed my sshd_config settings to :
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
On the client side, Mac OS 10.12, .ssh/config contains :
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes
When i ssh my Linux VM with -v, here is the output :
OpenSSH_7.5p1, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /Users/alex/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to plex [192.168.1.23] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4p1 Debian-10+deb9u2
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u2 pat OpenSSH* compat
0x04000000
debug1: Authenticating to plex:22 as 'alex'
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:gLapxwxzqzjnfD7CZhnkEkcVeWRPUeh1XnCwKzV8YMs
debug1: Host 'plex' is known and matches the ECDSA host key.
debug1: Found key in /Users/alex/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Miscellaneous failure (see text)
The ticket isn't for us
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alex/.ssh/id_rsa
debug1: Trying private key: /Users/alex/.ssh/id_dsa
debug1: Trying private key: /Users/alex/.ssh/id_ecdsa
debug1: Trying private key: /Users/alex/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
And then it asks for password...
Am i doing something wrong ?
/etc/sssd/sssd/conf is :
[sssd]
domains = home.lan
config_file_version = 2
services = nss, pam, ssh
[domain/home.lan]
ad_domain = home.lan
id_provider = ad
access_provider = ad
krb5_realm = HOME.LAN
realmd_tags = joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
Thanx !!
debian ssh kerberos
asked Jan 5 at 18:40
jaydee99
12
edited Jan 5 at 18:57
asked Jan 5 at 18:40
jaydee99
12
asked Jan 5 at 18:40
jaydee99
12
asked Jan 5 at 18:40
jaydee99
12
12
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
Are you able to successfully check the Domain account information using
id username@domain
Also, check the output of
realm discover domain
Note this should show output if your Linux machine is a kerberos member:
[root@linuxVM ~]# realm discover domain.dom
domain.dom
**type: kerberos**
realm-name: DOMAIN.DOM
domain-name: domain.dom
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
And hope you are trying to login as this:
ssh username@domain.dom
If kerberos memeber is not being list then you can use the following to joint in again:
realm join domain.dom -U administrator@domain.dom
And then enable SSSD login using the following:
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
Restart the realmd and sssd services.
Note by doing this all of the domain users will be able to login to the Linux server. You may want to deny all and enable group specific login but I will leave that to you.
#Deny login to everyone using below:
realm deny --all
#Permit specific AD Groups:
realm permit -g AD_GROUP_NAME@domain.dom
answered Jan 15 at 13:18
Rajneesh Gadge
638
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Are you able to successfully check the Domain account information using
id username@domain
Also, check the output of
realm discover domain
Note this should show output if your Linux machine is a kerberos member:
[root@linuxVM ~]# realm discover domain.dom
domain.dom
**type: kerberos**
realm-name: DOMAIN.DOM
domain-name: domain.dom
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
And hope you are trying to login as this:
ssh username@domain.dom
If kerberos memeber is not being list then you can use the following to joint in again:
realm join domain.dom -U administrator@domain.dom
And then enable SSSD login using the following:
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
Restart the realmd and sssd services.
Note by doing this all of the domain users will be able to login to the Linux server. You may want to deny all and enable group specific login but I will leave that to you.
#Deny login to everyone using below:
realm deny --all
#Permit specific AD Groups:
realm permit -g AD_GROUP_NAME@domain.dom
answered Jan 15 at 13:18
Rajneesh Gadge
638
add a comment |Â
up vote
1
down vote
Are you able to successfully check the Domain account information using
id username@domain
Also, check the output of
realm discover domain
Note this should show output if your Linux machine is a kerberos member:
[root@linuxVM ~]# realm discover domain.dom
domain.dom
**type: kerberos**
realm-name: DOMAIN.DOM
domain-name: domain.dom
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
And hope you are trying to login as this:
ssh username@domain.dom
If kerberos memeber is not being list then you can use the following to joint in again:
realm join domain.dom -U administrator@domain.dom
And then enable SSSD login using the following:
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
Restart the realmd and sssd services.
Note by doing this all of the domain users will be able to login to the Linux server. You may want to deny all and enable group specific login but I will leave that to you.
#Deny login to everyone using below:
realm deny --all
#Permit specific AD Groups:
realm permit -g AD_GROUP_NAME@domain.dom
answered Jan 15 at 13:18
Rajneesh Gadge
638
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Are you able to successfully check the Domain account information using
id username@domain
Also, check the output of
realm discover domain
Note this should show output if your Linux machine is a kerberos member:
[root@linuxVM ~]# realm discover domain.dom
domain.dom
**type: kerberos**
realm-name: DOMAIN.DOM
domain-name: domain.dom
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
And hope you are trying to login as this:
ssh username@domain.dom
If kerberos memeber is not being list then you can use the following to joint in again:
realm join domain.dom -U administrator@domain.dom
And then enable SSSD login using the following:
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
Restart the realmd and sssd services.
Note by doing this all of the domain users will be able to login to the Linux server. You may want to deny all and enable group specific login but I will leave that to you.
#Deny login to everyone using below:
realm deny --all
#Permit specific AD Groups:
realm permit -g AD_GROUP_NAME@domain.dom
answered Jan 15 at 13:18
Rajneesh Gadge
638
Are you able to successfully check the Domain account information using
id username@domain
Also, check the output of
realm discover domain
Note this should show output if your Linux machine is a kerberos member:
[root@linuxVM ~]# realm discover domain.dom
domain.dom
**type: kerberos**
realm-name: DOMAIN.DOM
domain-name: domain.dom
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
And hope you are trying to login as this:
ssh username@domain.dom
If kerberos memeber is not being list then you can use the following to joint in again:
realm join domain.dom -U administrator@domain.dom
And then enable SSSD login using the following:
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
Restart the realmd and sssd services.
Note by doing this all of the domain users will be able to login to the Linux server. You may want to deny all and enable group specific login but I will leave that to you.
#Deny login to everyone using below:
realm deny --all
#Permit specific AD Groups:
realm permit -g AD_GROUP_NAME@domain.dom
answered Jan 15 at 13:18
Rajneesh Gadge
638
edited Feb 6 at 19:50
answered Jan 15 at 13:18
Rajneesh Gadge
638
answered Jan 15 at 13:18
Rajneesh Gadge
638
answered Jan 15 at 13:18
Rajneesh Gadge
638
638
add a comment |Â
add a comment |Â
Â
draft saved
draft discarded
Â
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f415050%2fssh-with-kerberos-auth-not-working%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
