GSSAPI authentication over SSH fails with: Wrong principal in request
Environment
- Red Hat Enterprise Linux (RHEL) 6.4
- openssh-5.3p1-84.1
- krb5-libs-1.10.3-10
Issue
- Single Sign On using Kerberos and ssh fails on rhel6.4
- When logging in to a rhel6.4 system using kerberos and ssh, I get a permission denied
- This happens on systems installed from scratch with rhel6.4, but also on systems upgraded to rhel6.4 from rhel6.3
- Where using kerberos and ssh resulted in a successful log in on a rhel6.3 system, this fails after an upgrade to rhel6.4
-
After setting the log level of sshd to DEBUG, the following error message apears:
sshd[13862]: debug1: Unspecified GSS failure. Minor code may provide more information\nWrong principal in request\n -
Other methods of logging in using ssh (HostbasedAuthentication, PubkeyAuthentication, PasswordAuthentication, etc.) work as expected.
Resolution
- Please update the
krb5-libspackages to krb5-libs-1.10.3-15.el6_5.1 or later which are now availble to address this issue - Please refer to http://rhn.redhat.com/errata/RHBA-2014-0359.html for more information about these updated packages
Root Cause
- Due to a regression, servers could not verify the client's ticket while being compatible (for example, des-cbc-crc) but not exactly the same type as present in the keytab file (for example, des-cbc-md5)
Diagnostic Steps
-
The upgrade from RHEL6.3 to RHEL6.4 did not update the /etc/krb5.keytab nor krb5.conf
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 01/01/70 01:00:00 host/<fqdn>@<REALM> (des-cbc-md5) -
Client has a valid Kerberos Ticket Granting Ticket (TGT)
$ klist -e Ticket cache: FILE:/tmp/krb5cc_15832 Default principal: <user>@<REALM> Valid starting Expires Service principal 02/12/14 10:42:24 02/12/14 20:42:27 krbtgt/<REALM>@<REALM> renew until 02/13/14 10:42:24, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 02/12/14 10:47:17 02/12/14 20:42:27 host/<fqdn>@<REALM> renew until 02/13/14 10:42:24, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt15832 klist: You have no tickets cached -
Running ssd in debug mode show the follwing message
/usr/sbin/sshd -d -p 2022 ... Feb 12 09:49:38 invt001 sshd[31050]: Postponed gssapi-with-mic for nxp75004 from 92.120.70.10 port 46182 ssh2 Feb 12 09:49:38 invt001 sshd[31049]: debug1: Unspecified GSS failure. Minor code may provide more information\nWrong principal in request\n ...
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.