不能使用Cygwin使用GSSAPI(Kerberos身份验证方法)进行ssh?

时间:2014-02-24 16:42:10

标签: ssh cygwin kerberos gssapi

为什么我不能使用Cygwin使用Kerberos票证ssh到主机? 这是我的配置:

    $ cat .ssh/config
Host *

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

以下是ssh尝试的内容:

$ ssh -v user@host.net
OpenSSH_3.5p1f3, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
2420: debug1: Reading configuration data /home/user/.ssh/config
2420: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2420: debug1: ssh_connect: needpriv 0
2420: debug1: Connecting to host.net [xx.xx.xx.xx] port 22.
2420: debug1: Connection established.
2420: debug1: identity file /home/atanasdichev/.ssh/identity type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_rsa type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_dsa type -1
2420: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
2420: debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
2420: debug1: Enabling compatibility mode for protocol 2.0
2420: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f3
2420: debug1: Miscellaneous failure
2420: debug1: Program lacks support for encryption type
2420: debug1: SSH2_MSG_KEXINIT sent
2420: debug1: SSH2_MSG_KEXINIT received
2420: debug1: kex: server->client aes128-cbc hmac-md5 none
2420: debug1: kex: client->server aes128-cbc hmac-md5 none
2420: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
2420: debug1: dh_gen_key: priv key bits set: 119/256
2420: debug1: bits set: 1028/2048
2420: debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
2420: debug1: Host 'host.net' is known and matches the RSA host key.
2420: debug1: Found key in /home/user/.ssh/known_hosts:1
2420: debug1: bits set: 1000/2048
2420: debug1: ssh_rsa_verify: signature correct
2420: debug1: kex_derive_keys
2420: debug1: newkeys: mode 1
2420: debug1: SSH2_MSG_NEWKEYS sent
2420: debug1: waiting for SSH2_MSG_NEWKEYS
2420: debug1: newkeys: mode 0
2420: debug1: SSH2_MSG_NEWKEYS received
2420: debug1: done: ssh_kex2.
2420: debug1: send SSH2_MSG_SERVICE_REQUEST
2420: debug1: service_accept: ssh-userauth
2420: debug1: got SSH2_MSG_SERVICE_ACCEPT


                ------------- WARNING -------------
                THIS IS A PRIVATE COMPUTER SYSTEM.
                -----------------------------------

        This computer system including all related equipment,
        network devices (specifically including Internet access),
        are provided only for authorized use. All computer systems
        may be monitored for all lawful purposes, including to
        ensure that their use is authorized, for management of the
        system, to facilitate protection against unauthorized
        access, and to verify security procedures, survivability and
        operational security. Monitoring includes active attacks by
        authorized personnel and their entities to test or verify
        the security of the system. During monitoring, information
        may be examined, recorded, copied and used for authorized
        purposes. All information including personal information,
        placed on or sent over this system may be monitored. Uses of
        this system, authorized or unauthorized, constitutes consent
        to monitoring of this system. Unauthorized use may subject
        you to criminal prosecution. Evidence of any such
        unauthorized use collected during monitoring may be used for
        administrative, criminal or other adverse action. Use of
        this system constitutes consent to monitoring for these
        purposes.



2420: debug1: authentications that can continue: publickey,gssapi-with-mic
2420: debug1: next auth method to try is publickey
2420: debug1: try privkey: /home/user/.ssh/identity
2420: debug1: try privkey: /home/user/.ssh/id_rsa
2420: debug1: try privkey: /home/user/.ssh/id_dsa
2420: debug1: no more auth methods to try
2420: Permission denied (publickey,gssapi-with-mic).
2420: debug1: Calling cleanup 0x41c5a0(0x0)

好像我从来没有尝试使用gssapi-with-mic auth方法 为什么是这样 ?我需要在krb5.conf文件中指定什么? 感谢

2 个答案:

答案 0 :(得分:2)

OpenSSH需要GSSAPI和libkrb5库来支持Kerberos。 Windows也没有提供,因此为了使其完全正常工作,您需要安装Cytwin版本的MIT Kerberos或Heimdal,并且它们不会自动使用Windows本机Kerberos系统获取的凭据。您需要明确使用“kinit”来获取Kerberos凭证(TGT)。

krb5.conf中没有单一的配方。 Kerberos很复杂,有很多可能性 - 它取决于您周围的基础设施。一个非常简单的起点可能是:

[libdefaults]
    default_realm = FOO.COM
[realms]
FOO.COM = {
    kdc = kdc.foo.com
}

[libdefaults] default_realm = FOO.COM [realms] FOO.COM = { kdc = kdc.foo.com }

此处您的单个Kerberos领域是FOO.COM,而领域的KDC(Kerberos身份验证服务器)是kdc.foo.com。如果客户端存在,最好让客户端通过DNS SRV记录找到KDC。

使用kinit进行身份验证,然后使用klist查看您的凭据。

这些消息:

2420: debug1: Miscellaneous failure 2420: debug1: Program lacks support for encryption type

...告诉我你可能已经有了部分或全部这些。我最初的猜测是你有一个TGT,但是它使用了一个会话密钥加密类型,你安装的Kerberos版本不支持(或者链接ssh.exe,可能会有所不同)。我注意到OpenSSH客户端版本(3.5)已经很老了。如今的Windows更喜欢AES-256;也许你的Kerberos版本不支持这个新的密码。这只是一个猜测;我们需要更多信息。发布klist -ef的输出,以及来自ssh(-vvv)的更详细。

答案 1 :(得分:0)

一个老问题,但是最近我在Windows 10上使用Cygwin遇到了类似的问题。 在Cygwin中同时安装了 openssh krb5-workstation 之后,将其保存在我的.shh / config中:

Host "HostID"
  HostName "HostName"
  User "UserName"
  PreferredAuthentications gssapi-with-mic
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  # GSSAPIKeyExchange yes

最后一行是我不需要的选项,但在某些情况下可能是必需的。

请注意,Cygwin有时默认为openssh的Windows安装(如果存在),有时可能需要显式运行/usr/bin/sshusr/bin/kinit才能使用正确的版本。例如,先运行/usr/bin/kinit -f "UserName"@xxx.com(与上面的配置文件中的用户名匹配),然后运行/usr/bin/shh "HostID"(与config中的host-id匹配)。