Kerberos Problem

problem

Login requires password every time.

Error message from ssh is:

debug1: Miscellaneous failure
Server not found in Kerberos database

Everything seems to be ok, including firewall/udp and dns, information follows...

solution

UPDATE: Accidentally I stumbled upon a solution to my problem : if I have mire.hcoop.net in /etc/hosts everything works just fine. I have absolutely no idea why...

kinit, klist, ssh

% kinit pink@HCOOP.NET                                                                                                                                    [pink@hugin: ~]
Password for pink@HCOOP.NET: 
% klist                                                                                                                                                   [pink@hugin: ~]
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: pink@HCOOP.NET

Valid starting     Expires            Service principal
01/28/08 19:56:37  01/29/08 05:56:37  krbtgt/HCOOP.NET@HCOOP.NET
        renew until 01/29/08 19:56:09


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
% ssh -vvv -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' pink@mire.hcoop.net                                                           [pink@hugin: ~]
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /home/pink/.ssh/config
debug3: cipher ok: arcfour [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: cipher ok: aes128-cbc [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: cipher ok: blowfish-cbc [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: cipher ok: cast128-cbc [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: cipher ok: aes192-cbc [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: cipher ok: aes256-cbc [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: cipher ok: 3des-cbc [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug3: ciphers ok: [arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mire.hcoop.net [69.90.123.68] port 22.
debug1: Connection established.
debug1: identity file /home/pink/.ssh/identity type 0
debug1: identity file /home/pink/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /home/pink/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/pink/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug2: fd 3 setting O_NONBLOCK
debug1: Miscellaneous failure
Server not found in Kerberos database

debug1: Miscellaneous failure
Server not found in Kerberos database

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: kex_parse_kexinit: arcfour,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client arcfour hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server arcfour hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 526/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/pink/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 11
debug3: check_host_in_hostfile: filename /home/pink/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 12
debug1: Host 'mire.hcoop.net' is known and matches the RSA host key.
debug1: Found key in /home/pink/.ssh/known_hosts:11
debug2: bits set: 500/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/pink/.ssh/id_dsa (0x8095480)
debug2: key: /home/pink/.ssh/id_rsa ((nil))
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Miscellaneous failure
Server not found in Kerberos database

debug1: Trying to start again
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 

generel information

udp to hcoop

% traceroute deleuze.hcoop.net                                                                                                                            [\
pink@hugin: ~]
traceroute to deleuze.hcoop.net (69.90.123.67), 30 hops max, 40 byte packets
 1  lo1.boanxx19.ip.tele.dk (80.166.138.169)  12.196 ms  12.309 ms  12.514 ms
 2  ge1-2-50.1000M.boanxg4.ip.tele.dk (83.88.9.193)  18.135 ms  10.559 ms  17.004 ms
 3  pos0-1-1-0.2488M.boanqh1.ip.tele.dk (83.88.12.41)  31.490 ms  33.757 ms  30.020 ms
 4  pos4-0-0.9952M.ldn2nxg1.ip.tele.dk (83.88.12.118)  30.320 ms  32.734 ms  29.092 ms
 5  linx-gw1.peer1.net (195.66.224.156)  28.811 ms  28.749 ms  28.809 ms
 6  216.187.115.33 (216.187.115.33)  119.865 ms  119.221 ms  118.657 ms
 7  oc48-po3-0.nyc-75bre-dis-1.peer1.net (216.187.115.134)  123.349 ms  121.390 ms  118.221 ms
 8  216.187.115.170 (216.187.115.170)  118.718 ms  120.127 ms  119.942 ms
 9  deleuze.hcoop.net (69.90.123.67)  119.886 ms  119.155 ms  124.326 ms

Shorewall rule:

# accept from hcoop.net (delouze, mire)
ACCEPT  net:69.90.123.67,69.90.123.68   fw all

All connections out are allowed (and it does not change anything if I shut down shorewall).

krb5.conf

Default from debian with the dns stuff from hcoop wiki inserted:

[libdefaults]
#       default_realm =
  dns_lookup_kdc   = true
  dns_lookup_realm = true

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

#       default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
        ANDREW.CMU.EDU = {
                kdc = vice28.fs.andrew.cmu.edu
                kdc = vice2.fs.andrew.cmu.edu
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu

[login]
        krb4_convert = true
        krb4_get_tickets = false


dns

% dig mire.hcoop.net                                        [pink@hugin: ~/.ssh]

; <<>> DiG 9.3.4 <<>> mire.hcoop.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34485
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;mire.hcoop.net.                        IN      A

;; ANSWER SECTION:
mire.hcoop.net.         64602   IN      A       69.90.123.68

;; AUTHORITY SECTION:
hcoop.net.              165068  IN      NS      ns4.hcoop.net.
hcoop.net.              165068  IN      NS      ns.hcoop.net.

;; ADDITIONAL SECTION:
ns.hcoop.net.           82160   IN      A       64.20.38.170
ns4.hcoop.net.          168148  IN      A       69.90.123.70

;; Query time: 38 msec
;; SERVER: 193.162.153.164#53(193.162.153.164)
;; WHEN: Mon Jan 28 20:48:00 2008
;; MSG SIZE  rcvd: 115

% dig -t SRV _kerberos._udp.hcoop.net                                                                                                                     [pink@hugin: ~]

; <<>> DiG 9.3.4 <<>> -t SRV _kerberos._udp.hcoop.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45453
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_kerberos._udp.hcoop.net.      IN      SRV

;; ANSWER SECTION:
_kerberos._udp.hcoop.net. 75676 IN      SRV     1 0 88 kerberos1.hcoop.net.
_kerberos._udp.hcoop.net. 75676 IN      SRV     1 0 88 kerberos2.hcoop.net.

;; AUTHORITY SECTION:
hcoop.net.              162077  IN      NS      ns4.hcoop.net.
hcoop.net.              162077  IN      NS      ns.hcoop.net.

;; ADDITIONAL SECTION:
ns.hcoop.net.           162077  IN      A       64.20.38.170
ns4.hcoop.net.          165927  IN      A       69.90.123.70

;; Query time: 22 msec
;; SERVER: 193.162.153.164#53(193.162.153.164)
;; WHEN: Mon Jan 28 19:35:01 2008
;; MSG SIZE  rcvd: 187