How to configure sshd to use kerberos

Misekayek0l · January 31, 2024, 11:33pm

I have already some KDC server in a machine at 192.168.0.3, but want to setup sshd authentication with kerberos in a machine at 192.168.0.111 which is running OpenSUSE Leap 15.5, but all of my research is not clear the best I found is this IBM document IBM Documentation

NOTE: I want to login from a machine at 192.168.0.201 to a machine at 192.168.0.111 with kerberos using a KDC at 192.168.0.3

mhurron · February 1, 2024, 1:27am

That document is for AIX so that’s not going to help you. You’re typically not going to find one document because there are a bunch of steps and configureing the KDC, the server host and the client are all nice long documents themselves.

Short steps are -
Setup DNS
configure time synchronization on the KDC
Create a service principal for either host/ or sshd/ on the KDC
extract that keytab and place it on the sshd server
configure the sshd server to use GSSAPI for auth
configure pam to use pam_krb5
configure krb5.conf on the sshd host
configure time synchronization on the sshd host
configure krb5.conf on the client
configure time synchronization on the client
configure the client to use GSSAPI
configure the pam on the client host to request a kerberos ticket

All of that assumes you want to just use somewhat raw krb5. You could also choose to use sssd which would be a very different set of steps though some of which are the same as above.

SSH Keys are far simpler if you just want auth between two hosts.

Misekayek0l · February 1, 2024, 1:54am

What is sssd?

Misekayek0l · February 1, 2024, 1:54am

I already have the DNS, Time syncronization, and a KDC server

arvidjaar · February 1, 2024, 7:00am

If you already have Kerberos infrastructure setup, you just need to allow Kerberos on
server and client (GSSAPIAuthentication in sshd_config and ssh_config).

Misekayek0l · February 27, 2024, 9:53pm

Just make the entire checklist and configured the kerberos KDC but after login in kerberos with my admin principal end then running ssh against the test machine I still asks for a password

mhurron · February 28, 2024, 1:46am

and ssh -vvv says what?

Is the user on the target ssh machine the same name as the kerberos admin? Assuming you have admin@domain, is admin a user on that system? Typically you’re not sshing around as the admin.

Misekayek0l · February 28, 2024, 2:10am

ssh -vvv root@sql.intranet.domain
OpenSSH_8.4p1, OpenSSL 1.1.1l-fips  24 Aug 2021 SUSE release 150500.17.22.1
debug1: Reading configuration data /home/USER_NAME/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/USER_NAME/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/USER_NAME/.ssh/known_hosts2'
debug2: resolving "sql.intranet.domain" port 22
debug2: ssh_connect_direct
debug1: Connecting to sql.intranet.domain [192.168.0.112] port 22.
debug1: Connection established.
debug1: identity file /home/USER_NAME/.ssh/id_rsa type -1
debug1: identity file /home/USER_NAME/.ssh/id_rsa-cert type -1
debug1: identity file /home/USER_NAME/.ssh/id_dsa type -1
debug1: identity file /home/USER_NAME/.ssh/id_dsa-cert type -1
debug1: identity file /home/USER_NAME/.ssh/id_ecdsa type -1
debug1: identity file /home/USER_NAME/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/USER_NAME/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/USER_NAME/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/USER_NAME/.ssh/id_ed25519 type 3
debug1: identity file /home/USER_NAME/.ssh/id_ed25519-cert type -1
debug1: identity file /home/USER_NAME/.ssh/id_ed25519_sk type -1
debug1: identity file /home/USER_NAME/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/USER_NAME/.ssh/id_xmss type -1
debug1: identity file /home/USER_NAME/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sql.intranet.domain:22 as 'root'
debug3: hostkeys_foreach: reading file "/home/USER_NAME/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/USER_NAME/.ssh/known_hosts:25
debug3: load_hostkeys: loaded 1 keys from sql.intranet.domain
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:hnChuFaSSeFgZI6R+Ga1RoKZDgFqSx5I7DJuKxNo68Q
debug3: hostkeys_foreach: reading file "/home/USER_NAME/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/USER_NAME/.ssh/known_hosts:25
debug3: load_hostkeys: loaded 1 keys from sql.intranet.domain
debug3: hostkeys_foreach: reading file "/home/USER_NAME/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/USER_NAME/.ssh/known_hosts:25
debug3: load_hostkeys: loaded 1 keys from 192.168.0.112
debug1: Host 'sql.intranet.domain' is known and matches the ECDSA host key.
debug1: Found key in /home/USER_NAME/.ssh/known_hosts:25
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/USER_NAME/.ssh/id_rsa
debug1: Will attempt key: /home/USER_NAME/.ssh/id_dsa
debug1: Will attempt key: /home/USER_NAME/.ssh/id_ecdsa
debug1: Will attempt key: /home/USER_NAME/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/USER_NAME/.ssh/id_ed25519 ED25519 SHA256:JjeQnEJb7nm13W46edAgER0NWlKc1Rk+n04MISoI0B4
debug1: Will attempt key: /home/USER_NAME/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/USER_NAME/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/USER_NAME/.ssh/id_rsa
debug3: no such identity: /home/USER_NAME/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/USER_NAME/.ssh/id_dsa
debug3: no such identity: /home/USER_NAME/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/USER_NAME/.ssh/id_ecdsa
debug3: no such identity: /home/USER_NAME/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/USER_NAME/.ssh/id_ecdsa_sk
debug3: no such identity: /home/USER_NAME/.ssh/id_ecdsa_sk: No such file or directory
debug1: Offering public key: /home/USER_NAME/.ssh/id_ed25519 ED25519 SHA256:JjeQnEJb7nm13W46edAgER0NWlKc1Rk+n04MISoI0B4
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Trying private key: /home/USER_NAME/.ssh/id_ed25519_sk
debug3: no such identity: /home/USER_NAME/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/USER_NAME/.ssh/id_xmss
debug3: no such identity: /home/USER_NAME/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

mhurron · February 28, 2024, 4:03am

Misekayek0l:

debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method

Kerberos just failed, the server didn’t respond to the attempt.

Run the server side in debug with sshd -ddd

Misekayek0l · February 28, 2024, 4:25am

mariadb:~ # /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 532
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 532
debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:41 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:57 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:70 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:71 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:73 setting GSSAPIKeyExchange yes
debug3: /etc/ssh/sshd_config:84 setting UsePAM yes
debug3: /etc/ssh/sshd_config:89 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:100 setting UseDNS yes
debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/lib/ssh/sftp-server
debug3: /etc/ssh/sshd_config:114 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:115 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:116 setting AcceptEnv LC_IDENTIFICATION LC_ALL
debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1l  24 Aug 2021 SUSE release 150500.15.1
debug1: private host key #0: ssh-rsa SHA256:NIMBh7hfnYYyYrxiBwJftTicabfCqu0WV3kvCOKi8Fw
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:hnChuFaSSeFgZI6R+Ga1RoKZDgFqSx5I7DJuKxNo68Q
debug1: private host key #2: ssh-ed25519 SHA256:EDHzLn895g3Q3FT6VJLVWgtqsXEfvbV87XtJVrCNeP4
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 532
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 532
debug3: rexec:32 setting PermitRootLogin yes
debug3: rexec:41 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: rexec:57 setting PasswordAuthentication no
debug3: rexec:70 setting GSSAPIAuthentication yes
debug3: rexec:71 setting GSSAPICleanupCredentials yes
debug3: rexec:73 setting GSSAPIKeyExchange yes
debug3: rexec:84 setting UsePAM yes
debug3: rexec:89 setting X11Forwarding yes
debug3: rexec:100 setting UseDNS yes
debug3: rexec:111 setting Subsystem sftp        /usr/lib/ssh/sftp-server
debug3: rexec:114 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: rexec:115 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: rexec:116 setting AcceptEnv LC_IDENTIFICATION LC_ALL
debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1l  24 Aug 2021 SUSE release 150500.15.1
debug1: private host key #0: ssh-rsa SHA256:NIMBh7hfnYYyYrxiBwJftTicabfCqu0WV3kvCOKi8Fw
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:hnChuFaSSeFgZI6R+Ga1RoKZDgFqSx5I7DJuKxNo68Q
debug1: private host key #2: ssh-ed25519 SHA256:EDHzLn895g3Q3FT6VJLVWgtqsXEfvbV87XtJVrCNeP4
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.0.201 port 39976 on 192.168.0.112 port 22 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 12979
debug3: preauth child monitor started
debug3: privsep user:group 493:478 [preauth]
debug1: permanently_set_uid: 493/478 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: mm_request_send entering: type 42 [preauth]
debug3: mm_request_receive_expect entering: type 43 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 42
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No key table entry found matching host/mariadb@


debug3: mm_request_send entering: type 43
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c,kex-strict-c-v00@openssh.com [preauth]
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug3: mm_request_send entering: type 120 [preauth]
debug3: mm_request_receive_expect entering: type 121 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 120
debug3: mm_request_send entering: type 121
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug3: mm_request_send entering: type 120 [preauth]
debug3: mm_request_receive_expect entering: type 121 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 120
debug3: mm_request_send entering: type 121
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_sshkey_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: KEX signature 0x5593d9566a40(100)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user root service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 192.168.0.201.
debug2: parse_server_config_depth: config reprocess config len 532
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for root [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 100 [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 8012.906ms, delaying 7520.998ms (requested 7.585ms) [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "192.168.0.201"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: mm_request_send entering: type 42 [preauth]
debug3: mm_request_receive_expect entering: type 43 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 42
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No key table entry found matching host/mariadb@


debug3: mm_request_send entering: type 43
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 1.589ms, delaying 5.996ms (requested 7.585ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 0 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 0.049ms, delaying 7.536ms (requested 7.585ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user root querying public key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID3JVldjU1Z/63atWlfPUESKo5V4EDT6tMhwYRQl8Bxg [preauth]
debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:JjeQnEJb7nm13W46edAgER0NWlKc1Rk+n04MISoI0B4 [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x5593d9589750
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: ED25519 key is not allowed
Failed publickey for root from 192.168.0.201 port 39976 ssh2: ED25519 SHA256:JjeQnEJb7nm13W46edAgER0NWlKc1Rk+n04MISoI0B4
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 16.266ms, delaying 14.073ms (requested 7.585ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 4 failures 1 [preauth]
debug2: input_userauth_request: try method keyboard-interactive [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=root devs= [preauth]
debug1: kbdint_alloc: devices 'pam' [preauth]
debug2: auth2_challenge_start: devices pam [preauth]
debug2: kbdint_next_device: devices <empty> [preauth]
debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
debug3: mm_sshpam_init_ctx [preauth]
debug3: mm_request_send entering: type 104 [preauth]
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth]
debug3: mm_request_receive_expect entering: type 105 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 104
debug3: mm_answer_pam_init_ctx
debug3: PAM: sshpam_init_ctx entering
debug2: sshpam_init_ctx: auth information in SSH_AUTH_INFO_0
debug3: mm_request_send entering: type 105
debug2: monitor_read: 104 used once, disabling now
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: mm_sshpam_query [preauth]
debug3: mm_request_send entering: type 106 [preauth]
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth]
debug3: mm_request_receive_expect entering: type 107 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 106
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 107
debug3: mm_sshpam_query: pam_query returned 0 [preauth]
debug3: send packet: type 60 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 6.824ms, delaying 0.761ms (requested 7.585ms) [preauth]

arvidjaar · February 28, 2024, 4:33am

You said you configured Kerberos and you apparently did not. Your SSH server host needs keytab entry for your host principal.

Misekayek0l · February 28, 2024, 4:34am

it has a keytab entry for host/sql…

arvidjaar · February 28, 2024, 7:52am

If you insist on using some random client side host alias you may try setting sshd option

GSSAPIStrictAcceptorCheck=no

Misekayek0l · February 28, 2024, 2:43pm

Anyway I changed the hostname of the machine for the one the DNS is advertising, everything worked, just hate to add the athorized principals to ~/.k5login

Misekayek0l · February 28, 2024, 2:44pm

There is a way to automate the provisioning of every new machine of my network to add their principal to the network and extract their key to the respective machines?

mhurron · February 28, 2024, 3:49pm

For using raw kerberos you’re on your own. For anything else you would be looking at a whole IAM solution like FreeIPA, Samba AD or a Windows AD.

arvidjaar · February 28, 2024, 6:06pm

ansible, chef, terraform, puppet, saltstack … pick your choice.

system · March 29, 2024, 6:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.