为什么我不能使用 Cygwin ssh 到带有 Kerberos 票证的主机?
这是我的配置:
$ cat .ssh/config
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
这是我在 ssh 尝试中得到的结果:
$ ssh -v user@host.net
OpenSSH_3.5p1f3, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
2420: debug1: Reading configuration data /home/user/.ssh/config
2420: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2420: debug1: ssh_connect: needpriv 0
2420: debug1: Connecting to host.net [xx.xx.xx.xx] port 22.
2420: debug1: Connection established.
2420: debug1: identity file /home/atanasdichev/.ssh/identity type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_rsa type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_dsa type -1
2420: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
2420: debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
2420: debug1: Enabling compatibility mode for protocol 2.0
2420: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f3
2420: debug1: Miscellaneous failure
2420: debug1: Program lacks support for encryption type
2420: debug1: SSH2_MSG_KEXINIT sent
2420: debug1: SSH2_MSG_KEXINIT received
2420: debug1: kex: server->client aes128-cbc hmac-md5 none
2420: debug1: kex: client->server aes128-cbc hmac-md5 none
2420: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
2420: debug1: dh_gen_key: priv key bits set: 119/256
2420: debug1: bits set: 1028/2048
2420: debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
2420: debug1: Host 'host.net' is known and matches the RSA host key.
2420: debug1: Found key in /home/user/.ssh/known_hosts:1
2420: debug1: bits set: 1000/2048
2420: debug1: ssh_rsa_verify: signature correct
2420: debug1: kex_derive_keys
2420: debug1: newkeys: mode 1
2420: debug1: SSH2_MSG_NEWKEYS sent
2420: debug1: waiting for SSH2_MSG_NEWKEYS
2420: debug1: newkeys: mode 0
2420: debug1: SSH2_MSG_NEWKEYS received
2420: debug1: done: ssh_kex2.
2420: debug1: send SSH2_MSG_SERVICE_REQUEST
2420: debug1: service_accept: ssh-userauth
2420: debug1: got SSH2_MSG_SERVICE_ACCEPT
------------- WARNING -------------
THIS IS A PRIVATE COMPUTER SYSTEM.
-----------------------------------
This computer system including all related equipment,
network devices (specifically including Internet access),
are provided only for authorized use. All computer systems
may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the
system, to facilitate protection against unauthorized
access, and to verify security procedures, survivability and
operational security. Monitoring includes active attacks by
authorized personnel and their entities to test or verify
the security of the system. During monitoring, information
may be examined, recorded, copied and used for authorized
purposes. All information including personal information,
placed on or sent over this system may be monitored. Uses of
this system, authorized or unauthorized, constitutes consent
to monitoring of this system. Unauthorized use may subject
you to criminal prosecution. Evidence of any such
unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of
this system constitutes consent to monitoring for these
purposes.
2420: debug1: authentications that can continue: publickey,gssapi-with-mic
2420: debug1: next auth method to try is publickey
2420: debug1: try privkey: /home/user/.ssh/identity
2420: debug1: try privkey: /home/user/.ssh/id_rsa
2420: debug1: try privkey: /home/user/.ssh/id_dsa
2420: debug1: no more auth methods to try
2420: Permission denied (publickey,gssapi-with-mic).
2420: debug1: Calling cleanup 0x41c5a0(0x0)
似乎我从未尝试过 gssapi-with-mic 身份验证方法
为什么是这样 ?我需要在 krb5.conf 文件中指定什么?
谢谢
最佳答案
OpenSSH 需要 GSSAPI 和 libkrb5 库来支持 Kerberos。 Windows 也没有提供,所以为了让它工作,你需要安装 MIT Kerberos 或 Heimdal 的 Cygwin 版本,并且它们不会自动使用 Windows 本地 Kerberos 系统获取的凭据;您将需要明确使用“kinit”来获取 Kerberos 凭证 (TGT)。 2420: debug1: Miscellaneous failure
2420: debug1: Program lacks support for encryption type
krb5.conf 中的内容没有单一的配方; Kerberos 很复杂并且有很多可能性——这取决于您周围的基础设施。一个非常简单的起点可能是:
[libdefaults]
default_realm = FOO.COM
[realms]
FOO.COM = {
kdc = kdc.foo.com
}
此处,您的单个 Kerberos 领域是 FOO.COM,该领域的 KDC(Kerberos 身份验证服务器)是 kdc.foo.com。最好让客户端可以通过 DNS SRV 记录定位 KDC(如果它们存在)。
使用 kinit 进行身份验证,然后使用 klist 查看您的凭据。
这些消息:
... 向我建议您可能已经具备了部分或全部功能。我最初的猜测是您有一个 TGT,但它使用的 session key 加密类型不受您安装的 Kerberos 版本支持(或链接的 ssh.exe 版本不支持,这可能不同)。我注意到 OpenSSH 客户端版本 (3.5) 已经很旧了。现在的 Windows 更喜欢 AES-256;也许您的 Kerberos 版本不支持这种较新的密码。不过,这只是一个猜测;我们需要更多信息。发布 klist -ef 的输出,以及来自 ssh (-vvv) 的更多详细信息。
关于ssh - 不能使用 Cygwin 使用 GSSAPI(Kerberos 身份验证方法)ssh 吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21993649/