4

为什么我不能使用 Cygwin 用 Kerberos 票证连接到主机?这是我的配置:

    $ cat .ssh/config
Host *

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

这是我在 ssh 尝试中得到的结果:

$ ssh -v user@host.net
OpenSSH_3.5p1f3, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
2420: debug1: Reading configuration data /home/user/.ssh/config
2420: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2420: debug1: ssh_connect: needpriv 0
2420: debug1: Connecting to host.net [xx.xx.xx.xx] port 22.
2420: debug1: Connection established.
2420: debug1: identity file /home/atanasdichev/.ssh/identity type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_rsa type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_dsa type -1
2420: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
2420: debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
2420: debug1: Enabling compatibility mode for protocol 2.0
2420: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f3
2420: debug1: Miscellaneous failure
2420: debug1: Program lacks support for encryption type
2420: debug1: SSH2_MSG_KEXINIT sent
2420: debug1: SSH2_MSG_KEXINIT received
2420: debug1: kex: server->client aes128-cbc hmac-md5 none
2420: debug1: kex: client->server aes128-cbc hmac-md5 none
2420: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
2420: debug1: dh_gen_key: priv key bits set: 119/256
2420: debug1: bits set: 1028/2048
2420: debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
2420: debug1: Host 'host.net' is known and matches the RSA host key.
2420: debug1: Found key in /home/user/.ssh/known_hosts:1
2420: debug1: bits set: 1000/2048
2420: debug1: ssh_rsa_verify: signature correct
2420: debug1: kex_derive_keys
2420: debug1: newkeys: mode 1
2420: debug1: SSH2_MSG_NEWKEYS sent
2420: debug1: waiting for SSH2_MSG_NEWKEYS
2420: debug1: newkeys: mode 0
2420: debug1: SSH2_MSG_NEWKEYS received
2420: debug1: done: ssh_kex2.
2420: debug1: send SSH2_MSG_SERVICE_REQUEST
2420: debug1: service_accept: ssh-userauth
2420: debug1: got SSH2_MSG_SERVICE_ACCEPT


                ------------- WARNING -------------
                THIS IS A PRIVATE COMPUTER SYSTEM.
                -----------------------------------

        This computer system including all related equipment,
        network devices (specifically including Internet access),
        are provided only for authorized use. All computer systems
        may be monitored for all lawful purposes, including to
        ensure that their use is authorized, for management of the
        system, to facilitate protection against unauthorized
        access, and to verify security procedures, survivability and
        operational security. Monitoring includes active attacks by
        authorized personnel and their entities to test or verify
        the security of the system. During monitoring, information
        may be examined, recorded, copied and used for authorized
        purposes. All information including personal information,
        placed on or sent over this system may be monitored. Uses of
        this system, authorized or unauthorized, constitutes consent
        to monitoring of this system. Unauthorized use may subject
        you to criminal prosecution. Evidence of any such
        unauthorized use collected during monitoring may be used for
        administrative, criminal or other adverse action. Use of
        this system constitutes consent to monitoring for these
        purposes.



2420: debug1: authentications that can continue: publickey,gssapi-with-mic
2420: debug1: next auth method to try is publickey
2420: debug1: try privkey: /home/user/.ssh/identity
2420: debug1: try privkey: /home/user/.ssh/id_rsa
2420: debug1: try privkey: /home/user/.ssh/id_dsa
2420: debug1: no more auth methods to try
2420: Permission denied (publickey,gssapi-with-mic).
2420: debug1: Calling cleanup 0x41c5a0(0x0)

似乎我从来没有尝试过 gssapi-with-mic auth 方法这是为什么?我需要在 krb5.conf 文件中指定什么?谢谢

4

2 回答 2

2

OpenSSH 需要 GSSAPI 和 libkrb5 库来支持 Kerberos。Windows 也不提供,因此为了使其正常工作,您需要安装 MIT Kerberos 或 Heimdal 的 Cygwin 版本,它们不会自动使用 Windows 原生 Kerberos 系统获取的凭据;您将需要显式使用“kinit”来获取 Kerberos 凭据 (TGT)。

在 krb5.conf 中放入的内容没有单一的方法;Kerberos 很复杂,有很多可能性——这取决于您周围的基础设施。一个非常简单的起点可能是:

[libdefaults]
    default_realm = FOO.COM
[realms]
FOO.COM = {
    kdc = kdc.foo.com
}

在这里,您的单个 Kerberos 领域是 FOO.COM,而该领域的 KDC(Kerberos 身份验证服务器)是 kdc.foo.com。最好让客户端可以通过 DNS SRV 记录(如果存在)定位 KDC。

使用 kinit 进行身份验证,然后使用 klist 查看您的凭据。

这些消息:

2420: debug1: Miscellaneous failure 2420: debug1: Program lacks support for encryption type

...向我建议您可能已经拥有部分或全部。我最初的猜测是你有一个 TGT,但它使用的会话密钥加密类型不受你安装的 Kerberos 版本的支持(或者链接 ssh.exe 的版本,可能不同)。我注意到 OpenSSH 客户端版本 (3.5) 相当旧。现在的 Windows 更喜欢 AES-256;也许您的 Kerberos 版本不支持这种较新的密码。不过,这只是一个猜测;我们需要更多信息。发布 klist -ef 的输出,以及来自 ssh (-vvv) 的更多详细信息。

于 2014-02-27T06:52:36.217 回答
0

一个老问题,但我最近遇到了类似的问题,在 Windows 10 上使用 Cygwin。在 Cygwin 中安装了opensshkrb5-workstation并在我的 .shh/config 中安装了它之后,我终于让它工作了:

Host "HostID"
  HostName "HostName"
  User "UserName"
  PreferredAuthentications gssapi-with-mic
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  # GSSAPIKeyExchange yes

最后一行是我不需要的选项,但在某些情况下可能需要。

请注意,Cygwin 有时默认为 windows 安装 openssh(如果存在),有时可能需要显式运行/usr/bin/sshusr/bin/kinit使用正确的版本。例如,运行/usr/bin/kinit -f "UserName"@xxx.com(匹配上面配置文件中的用户名),然后/usr/bin/shh "HostID"(匹配配置中的 host-id)。

于 2018-11-27T12:01:31.987 回答