Can';使用GSSAPI(Kerberos身份验证方法)和Cygwin实现ssh?
为什么我不能使用Cygwin使用Kerberos票证ssh到主机? 这是我的配置:Can';使用GSSAPI(Kerberos身份验证方法)和Cygwin实现ssh?,ssh,cygwin,kerberos,gssapi,Ssh,Cygwin,Kerberos,Gssapi,为什么我不能使用Cygwin使用Kerberos票证ssh到主机? 这是我的配置: $ cat .ssh/config Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes 以下是我在ssh尝试中得到的结果: $ ssh -v user@host.net OpenSSH_3.5p1f3, SSH protocols 1.5/2.0, OpenSSL 0x0090702f 2420: debug1: Reading
$ cat .ssh/config
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
$ ssh -v user@host.net
OpenSSH_3.5p1f3, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
2420: debug1: Reading configuration data /home/user/.ssh/config
2420: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2420: debug1: ssh_connect: needpriv 0
2420: debug1: Connecting to host.net [xx.xx.xx.xx] port 22.
2420: debug1: Connection established.
2420: debug1: identity file /home/atanasdichev/.ssh/identity type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_rsa type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_dsa type -1
2420: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
2420: debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
2420: debug1: Enabling compatibility mode for protocol 2.0
2420: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f3
2420: debug1: Miscellaneous failure
2420: debug1: Program lacks support for encryption type
2420: debug1: SSH2_MSG_KEXINIT sent
2420: debug1: SSH2_MSG_KEXINIT received
2420: debug1: kex: server->client aes128-cbc hmac-md5 none
2420: debug1: kex: client->server aes128-cbc hmac-md5 none
2420: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
2420: debug1: dh_gen_key: priv key bits set: 119/256
2420: debug1: bits set: 1028/2048
2420: debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
2420: debug1: Host 'host.net' is known and matches the RSA host key.
2420: debug1: Found key in /home/user/.ssh/known_hosts:1
2420: debug1: bits set: 1000/2048
2420: debug1: ssh_rsa_verify: signature correct
2420: debug1: kex_derive_keys
2420: debug1: newkeys: mode 1
2420: debug1: SSH2_MSG_NEWKEYS sent
2420: debug1: waiting for SSH2_MSG_NEWKEYS
2420: debug1: newkeys: mode 0
2420: debug1: SSH2_MSG_NEWKEYS received
2420: debug1: done: ssh_kex2.
2420: debug1: send SSH2_MSG_SERVICE_REQUEST
2420: debug1: service_accept: ssh-userauth
2420: debug1: got SSH2_MSG_SERVICE_ACCEPT
------------- WARNING -------------
THIS IS A PRIVATE COMPUTER SYSTEM.
-----------------------------------
This computer system including all related equipment,
network devices (specifically including Internet access),
are provided only for authorized use. All computer systems
may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the
system, to facilitate protection against unauthorized
access, and to verify security procedures, survivability and
operational security. Monitoring includes active attacks by
authorized personnel and their entities to test or verify
the security of the system. During monitoring, information
may be examined, recorded, copied and used for authorized
purposes. All information including personal information,
placed on or sent over this system may be monitored. Uses of
this system, authorized or unauthorized, constitutes consent
to monitoring of this system. Unauthorized use may subject
you to criminal prosecution. Evidence of any such
unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of
this system constitutes consent to monitoring for these
purposes.
2420: debug1: authentications that can continue: publickey,gssapi-with-mic
2420: debug1: next auth method to try is publickey
2420: debug1: try privkey: /home/user/.ssh/identity
2420: debug1: try privkey: /home/user/.ssh/id_rsa
2420: debug1: try privkey: /home/user/.ssh/id_dsa
2420: debug1: no more auth methods to try
2420: Permission denied (publickey,gssapi-with-mic).
2420: debug1: Calling cleanup 0x41c5a0(0x0)
谢谢OpenSSH需要GSSAPI和libkrb5库来支持Kerberos。Windows也不提供,因此为了使其工作,您需要安装MIT Kerberos或Heimdal的Cygwin版本,并且它们不会自动使用Windows本机Kerberos系统获取的凭据;您需要显式地使用“kinit”来获取Kerberos凭据(TGT) 在krb5.conf中没有单一的配方;Kerberos是复杂的,并且有许多可能性——这取决于您周围的基础架构。一个非常简单的起点可能是:
[libdefaults]
default_realm = FOO.COM
[realms]
FOO.COM = {
kdc = kdc.foo.com
}
[libdefaults]
default_realm = FOO.COM
[realms]
FOO.COM = {
kdc = kdc.foo.com
}
2420:调试1:其他故障
2420:debug1:程序缺少对加密类型的支持
。。。建议我,你可能已经有一些或所有这些地方。我的初步猜测是,您有一个TGT,但它使用的会话密钥加密类型不受您安装的Kerberos版本的支持(或者与ssh.exe链接的类型不同)。我注意到OpenSSH客户端版本(3.5)非常旧。Windows现在更喜欢AES-256;可能您的Kerberos版本不支持此较新的密码。不过这只是一个猜测;我们需要更多的信息。发布klist-ef的输出,以及ssh(-vvv)的更详细内容。这是一个老问题,但我最近遇到了一个类似的问题,在Windows 10上使用Cygwin。 在Cygwin中安装了openssh和krb5工作站,并将其保存在my.shh/config中之后,我终于让它正常工作了:
Host "HostID"
HostName "HostName"
User "UserName"
PreferredAuthentications gssapi-with-mic
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# GSSAPIKeyExchange yes
/usr/bin/sshusr/bin/kinit/usr/bin/kinit-f“UserName”@xxx.com/usr/bin/shh“HostID”