SSH com o Kerberos Auth não funciona

Navegue suas respostas
0

Estou tentando fazer login na minha VM do Linux com SSH usando a autenticação do kerberos.

Minha VM do Linux entrou com sucesso no meu AD usando o método realmd / sssd.

Alterei minhas configurações do sshd_config para: 

PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes

No lado do cliente, o Mac OS 10.12, .ssh / config contém: 

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes

Quando eu ssh meu Linux VM com -v, aqui está a saída: 

OpenSSH_7.5p1, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /Users/alex/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to plex [192.168.1.23] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/alex/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version 
OpenSSH_7.4p1 Debian-10+deb9u2
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u2 pat OpenSSH* compat 
0x04000000
debug1: Authenticating to plex:22 as 'alex'
debug1:  An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug1:  Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10

debug1:  An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:gLapxwxzqzjnfD7CZhnkEkcVeWRPUeh1XnCwKzV8YMs
debug1: Host 'plex' is known and matches the ECDSA host key.
debug1: Found key in /Users/alex/.ssh/known_hosts:2 
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1:  Miscellaneous failure (see text)
The ticket isn't for us

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1:  An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug1:  Miscellaneous failure (see text) 
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10

debug1:  An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1:  Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alex/.ssh/id_rsa
debug1: Trying private key: /Users/alex/.ssh/id_dsa
debug1: Trying private key: /Users/alex/.ssh/id_ecdsa
debug1: Trying private key: /Users/alex/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive 
Password:

E depois pede senha ...

Estou fazendo algo errado?

/ etc / sssd / sssd / conf é: 

[sssd]
domains = home.lan
config_file_version = 2
services = nss, pam, ssh

[domain/home.lan]
ad_domain = home.lan
id_provider = ad
access_provider = ad

krb5_realm = HOME.LAN
realmd_tags = joined-with-adcli 
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u

Thanx !!

    
por jaydee99 05.01.2018 / 19:40

1 resposta

1

Você consegue verificar com êxito as informações da conta de domínio usando 

id username@domain

Além disso, verifique a saída de 

realm discover domain

Observe que isso deve mostrar a saída se sua máquina Linux for um membro do kerberos: 

[root@linuxVM ~]# realm discover domain.dom
domain.dom
  **type: kerberos**
  realm-name: DOMAIN.DOM
  domain-name: domain.dom
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

E espero que você esteja tentando fazer login como este: 

ssh [email protected]

Se o kerberos memeber não estiver sendo listado, você pode usar o seguinte para juntar novamente: 

realm join domain.dom -U [email protected]

E, em seguida, ative o login do SSSD usando o seguinte: 

authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

Reinicie os serviços realmd e sssd.

Note que fazendo isso, todos os usuários do domínio poderão fazer o login no servidor Linux. Você pode negar tudo e ativar o login específico do grupo, mas vou deixar isso para você. 

#Deny login to everyone using below:
realm deny --all

#Permit specific AD Groups:
realm permit -g [email protected]
    
por 15.01.2018 / 14:18

Tags

Como preencher e visualizar apenas uma substring da tabela ip Logs com tailf e sed? Como fazer a sintaxe do regex do sed funcionar como python ou javascript? [duplicado]