Добрый день господа.
Пытаюсь состыковать MIT kerberos и openssh.
С самим kerberos все ок, пользователя находит, билеты выдает. Причем пробовал с другой машины получать билеты, тоже все ок, kerberos сервис работает исправно, а вот pam_krb5 никак не хочет понимать пользователей из kerberos окружения.Сперва про билеты:
sso:~ # kinit test@DOMAIN.ORG.RU
Password for test@DOMAIN.ORG.RU:
sso:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@DOMAIN.ORG.RU
Valid starting Expires Service principal
12/23/09 10:57:55 12/23/09 11:07:55 krbtgt/DOMAIN.ORG.RU@DOMAIN.ORG.RU
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Теперь непосредственно к ssh логам:
user@host10-30:~> ssh -v test@sso.domain.org.ru
OpenSSH_5.1p1, OpenSSL 0.9.8h 28 May 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sso.domain.org.ru [192.168.10.250] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sso.domain.org.ru' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:35
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
Password:
В /var/log/messages сервера sso.domain.org.ru в это время:
Dec 23 10:59:37 sso sshd[3367]: reverse mapping checking getaddrinfo for host2-30.domain.org.ru [192.168.2.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 23 10:59:37 sso sshd[3367]: Invalid user test from 192.168.10.30
Dec 23 10:59:39 sso sshd[3372]: pam_krb5[3372]: error resolving user name 'test' to uid/gid pair
Dec 23 10:59:39 sso sshd[3372]: pam_krb5[3372]: error getting information about 'test'
Dec 23 10:59:39 sso sshd[3367]: error: PAM: Authentication failure for illegal user test from 192.168.10.30
Dec 23 10:59:39 sso sshd[3367]: Failed keyboard-interactive/pam for invalid user test from 192.168.10.30 port 53892 ssh2
В /etc/ssh/sshd_config раскомментированы строчки:
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Что еще проверить? Дальше ума не приложу что не так делаю.
P.S. Opensuse 11.0