SSH avec authentification Kerberos

Question

Je rencontre le problème suivant: j'essaie de me connecter à partir d'un client VM à un serveur VM à l'aide de SSH avec l'authentification Kerberos, mais SSH me demande toujours un mot de passe. Bien évidemment, j'ai modifié le fichier /etc/ssh/sshd_config, côté serveur, pour permettre: GSSAPIAuthentication yes et GSSAPICleanupCredentials yes. Sur la machine client, j'ai fait la même chose dans le fichier /etc/ssh/ssh_config. À propos de Kerberos: j'ai ajouté un principal utilisant kadmin.local, appelé Host/server@SERVER.COM où "serveur" est le nom d'hôte de la machine serveur et SERVER.COM, le nom du domaine. Une fois ce principe créé pour le service SSH, j’ai utilisé le ktadd -k command pour ajouter le fichier de clés (pour que tout soit clair, le serveur SSH et le serveur Kerberos se trouvent sur le même ordinateur) situé à /etc/krb5.keytab. La sortie de Sudo klist -ke /etc/krb5.keytab est

Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 Host/server.com@SERVER.COM (aes256-cts-hmac-sha1-96) 1 Host/server.com@SERVER.COM (aes128-cts-hmac-sha1-96) 1 Host/server.com@SERVER.COM (aes256-cts-hmac-sha1-96) 1 Host/server.com@SERVER.COM (aes128-cts-hmac-sha1-96) 1 Host/server.com@SERVER.COM (aes256-cts-hmac-sha1-96) 1 Host/server.com@SERVER.COM (aes128-cts-hmac-sha1-96) 1 michele@SERVER.COM (aes256-cts-hmac-sha1-96) 1 michele@SERVER.COM (aes128-cts-hmac-sha1-96) 1 Host/server@SERVER.COM (aes256-cts-hmac-sha1-96) 1 Host/server@SERVER.COM (aes128-cts-hmac-sha1-96)

Donc, la création de keytab était OK. Eh bien, sur la machine du serveur, j’ai également ajouté un utilisateur nommé michele (même dans la liste ci-dessus et ajouté en tant que principal évidemment) et la même chose a été créée sur la machine cliente. J'ai tapé la commande ssh en mode débogage Sudo /usr/sbin/sshd -p 9001 -D -dd à la fois sur le client et sur le serveur et j’obtiens ce qui suit:

1) Pour le côté serveur:

debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 370 debug2: parse_server_config: config /etc/ssh/sshd_config len 370 debug1: sshd version OpenSSH_7.5, OpenSSL 1.0.2g 1 Mar 2016 debug1: private Host key #0: ssh-rsa SHA256:Uu0sgKAMRqoKGBxZ+pLywmfCH8Fby+3p/rgJ5TSn45w debug1: private Host key #1: ecdsa-sha2-nistp256 SHA256:ycCOVyRMzFst+8uwleIs1VtvhsoN+3GZE/Tjj7i/MlA debug1: private Host key #2: ssh-ed25519 SHA256:I1PpnUol1xHFKTiM+yTGN0C3h6PSjgo34VjkFtUH6Uk debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='9001' debug1: rexec_argv[3]='-D' debug1: rexec_argv[4]='-dd' debug1: Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 9001 on 0.0.0.0. Server listening on 0.0.0.0 port 9001. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 9001 on ::. Server listening on :: port 9001. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.56.5 port 60904 on 192.168.56.4 port 9001 debug1: Client protocol version 2.0; client software version OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 debug1: match: OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 pat OpenSSH* compat 0x04000000 debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 debug1: Enabling compatibility mode for protocol 2.0 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 4541 debug1: permanently_set_uid: 122/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth] debug2: Host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth] debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth] debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,zlib@openssh.com [preauth] debug2: compression stoc: none,zlib@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth] debug2: Host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth] debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,zlib@openssh.com,zlib [preauth] debug2: compression stoc: none,zlib@openssh.com,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: Host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug2: monitor_read: 6 used once, disabling now debug2: set_newkeys: mode 1 [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user michele service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug2: parse_server_config: config reprocess config len 370 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for michele [preauth] debug1: PAM: initializing for "michele" debug1: PAM: setting PAM_RHOST to "192.168.56.5" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 100 used once, disabling now debug2: monitor_read: 4 used once, disabling now debug2: input_userauth_request: try method none [preauth] debug1: userauth-request for user michele service ssh-connection method password [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method password [preauth] debug1: PAM: password authentication accepted for michele debug1: do_pam_account: called Accepted password for michele from 192.168.56.5 port 60904 ssh2 debug1: monitor_child_preauth: michele has been authenticated by privileged process debug1: monitor_read_log: child log fd closed debug1: temporarily_use_uid: 1004/1004 (e=0/0) debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism debug1: restore_uid: 0/0 debug1: PAM: establishing credentials User child is on pid 4618 debug1: SELinux support disabled debug1: PAM: establishing credentials debug1: permanently_set_uid: 1004/1004 debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: ssh_packet_set_postauth: called debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 8 setting O_NONBLOCK debug1: server_init_dispatch debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug2: session_new: allocate (allocated 0 max 10) debug1: session_new: session 0 debug1: SELinux support disabled debug1: session_pty_req: session 0 alloc /dev/pts/1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug2: Setting env 0: LANG=it_IT.UTF-8 debug1: server_input_channel_req: channel 0 request Shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req Shell Starting session: Shell on pts/1 for michele from 192.168.56.5 port 60904 id 0 debug2: fd 3 setting TCP_NODELAY debug1: Setting controlling tty using TIOCSCTTY. debug2: channel 0: rfd 11 isatty debug2: fd 11 setting O_NONBLOCK

et pour le côté client:

~$ ssh -p 9001 -vv michele@192.168.56.4 OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "192.168.56.4" port 9001 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.56.4 [192.168.56.4] port 9001. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/michele/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 debug1: match: OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.56.4:9001 as 'michele' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: Host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: Host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: Host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server Host key: ecdsa-sha2-nistp256 SHA256:ycCOVyRMzFst+8uwleIs1VtvhsoN+3GZE/Tjj7i/MlA debug1: checking without port identifier debug1: Host '192.168.56.4' is known and matches the ECDSA Host key. debug1: Found key in /home/michele/.ssh/known_hosts:1 debug1: found matching key w/out port debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied debug2: key: /home/michele/.ssh/id_rsa ((nil)) debug2: key: /home/michele/.ssh/id_dsa ((nil)) debug2: key: /home/michele/.ssh/id_ecdsa ((nil)) debug2: key: /home/michele/.ssh/id_ed25519 ((nil)) debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1002) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1002) debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Trying private key: /home/michele/.ssh/id_rsa debug1: Trying private key: /home/michele/.ssh/id_dsa debug1: Trying private key: /home/michele/.ssh/id_ecdsa debug1: Trying private key: /home/michele/.ssh/id_ed25519 debug2: we did not send a packet, disable method debug1: Next authentication method: password michele@192.168.56.4's password: debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). Authenticated to 192.168.56.4 ([192.168.56.4]:9001). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug2: callback start debug2: fd 3 setting TCP_NODELAY debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug1: Sending env LANG = it_IT.UTF-8 debug2: channel 0: request env confirm 0 debug2: channel 0: request Shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: Shell request accepted on channel 0 Welcome to Ubuntu 17.10 (GNU/Linux 4.13.0-39-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 pacchetti possono essere aggiornati. 0 sono aggiornamenti di sicurezza. Failed to connect to http://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings Last login: Sat May 5 12:45:11 2018 from 192.168.56.5 Environment: LANG=it_IT.UTF-8 USER=michele LOGNAME=michele HOME=/home/michele PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games MAIL=/var/mail/michele Shell=/bin/bash SSH_CLIENT=192.168.56.5 60904 9001 SSH_CONNECTION=192.168.56.5 60904 192.168.56.4 9001 SSH_TTY=/dev/pts/1 TERM=xterm-256color XDG_SESSION_ID=39 XDG_RUNTIME_DIR=/run/user/1004 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1004/bus

Du côté client, il semble qu'il y ait une défaillance de GSSAPI concernant les informations d'identification. Je voudrais ssh sur mon serveur sans taper le mot de passe. Pouvez-vous m'aider s'il vous plaît? Thansk!

Sebastian Stark · Accepted Answer

Le message d'erreur indique que vous ne disposez pas d'un TGT ("Ticket Granting Ticket") valide pour l'utilisateur avec lequel vous essayez de vous connecter. Vous devez d'abord lancer "kinit". Cela tentera d’obtenir un TGT du serveur Kerberos et de le placer dans le cache du ticket (/tmp/krb5cc_1002 dans votre cas).

Vous ne devriez pas faire cela en utilisant Sudo, car cela créera le cache du ticket avec les mauvaises autorisations. Si vous l'avez fait avec Sudo, vous devez supprimer le cache du ticket avec les mauvaises autorisations (Sudo rm /tmp/krb5cc_1002) et essayer de réexécuter kinit en tant qu'utilisateur normal.

Quelque chose qui n’est pas directement lié à ce problème mais qui mérite d’être mentionné: vous n’avez pas besoin d’ajouter des utilisateurs à /etc/krb5.keytab, comme vous semblez avoir essayé en fonction de votre sortie klist -ke. Ce fichier est destiné à l'authentification hôte/service uniquement. Les utilisateurs doivent uniquement être ajoutés au serveur Kerberos (KDC).