|
#1
05-03-2013, 07:30 AM
|
|||
|
|||
|
can not login when using ip with kerberos
Hi,
i can not login the server when using ip(10.10.67.10) with kerberos,but using "67-10.bjyz.dajie-inc.com" is OK. please help me out. here is the log: [LOCAL] : SSH2Core version 7.1.0.244 [LOCAL] : Connecting to 10.10.67.10:22 ... SecureCRT - Version 7.1.0 (build 244) [LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT [LOCAL] : Using protocol SSH2 [LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.3' [LOCAL] : CAP : Remote can re-key [LOCAL] : CAP : Remote sends language in password change requests [LOCAL] : CAP : Remote sends algorithm name in PK_OK packets [LOCAL] : CAP : Remote sends algorithm name in public key packets [LOCAL] : CAP : Remote sends algorithm name in signatures [LOCAL] : CAP : Remote sends error text in open failure packets [LOCAL] : CAP : Remote sends name in service accept packets [LOCAL] : CAP : Remote includes port number in x11 open packets [LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC [LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages [LOCAL] : CAP : Remote correctly handles unknown SFTP extensions [LOCAL] : CAP : Remote correctly encodes OID for gssapi [LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests [LOCAL] : CAP : Remote can do SFTP version 4 [LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures [LOCAL] : CAP : Remote correctly handles zlib@openssh.com [LOCAL] : GSS : Requesting full delegation [LOCAL] : GSS : [Kerberos] SPN : host@10.10.67.10 [LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed. [LOCAL] : GSS : [Kerberos] The gssapi provider indicated a failure. Miscellaneous failure (see text) UNKNOWN_SERVER while looking up 'host/10.10.67.10@10.67.10' (cached result, timeout in 394 sec) (negative cache) [LOCAL] : GSS : [Kerberos] Disabling gss mechanism [LOCAL] : GSS : Requesting full delegation [LOCAL] : GSS : [Kerberos] SPN : host@10.10.67.10 [LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed. [LOCAL] : GSS : [Kerberos] The gssapi provider indicated a failure. Miscellaneous failure (see text) UNKNOWN_SERVER while looking up 'host/10.10.67.10@10.67.10' (cached result, timeout in 394 sec) (negative cache) [LOCAL] : GSS : [Kerberos] Disabling gss mechanism [LOCAL] : GSS : [Kerberos] Disabling gss mechanism [LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g== [LOCAL] : GSS : Requesting full delegation [LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@10.10.67.10 [LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed. [LOCAL] : GSS : [Kerberos (Group Exchange)] The gssapi provider indicated a failure. Miscellaneous failure (see text) UNKNOWN_SERVER while looking up 'host/10.10.67.10@10.67.10' (cached result, timeout in 394 sec) (negative cache) [LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism [LOCAL] : GSS : Requesting full delegation [LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@10.10.67.10 [LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed. [LOCAL] : GSS : [Kerberos (Group Exchange)] The gssapi provider indicated a failure. Miscellaneous failure (see text) UNKNOWN_SERVER while looking up 'host/10.10.67.10@10.67.10' (cached result, timeout in 394 sec) (negative cache) [LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism [LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism [LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== [LOCAL] : SEND : KEXINIT [LOCAL] : RECV : Read kexinit [LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1 [LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss [LOCAL] : Selected Host Key Algo = ssh-dss [LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [LOCAL] : Selected Send Cipher = aes256-ctr [LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [LOCAL] : Selected Recv Cipher = aes256-ctr [LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [LOCAL] : Selected Send Mac = hmac-sha1 [LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [LOCAL] : Selected Recv Mac = hmac-sha1 [LOCAL] : Available Remote Compressors = none,zlib@openssh.com [LOCAL] : Selected Compressor = none [LOCAL] : Available Remote Decompressors = none,zlib@openssh.com [LOCAL] : Selected Decompressor = none [LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE [LOCAL] : SEND : KEXDH_GEX_REQUEST [LOCAL] : RECV : KEXDH_GEX_GROUP [LOCAL] : SEND : KEXDH_INIT [LOCAL] : RECV : KEXDH_REPLY [LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS [LOCAL] : RECV: Remote Hostkey: b4:de:25:ec:89:02:b9:5d:f5:0d:87:c9:79:2c:76:17 [LOCAL] : SEND : NEWKEYS [LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS [LOCAL] : RECV : NEWKEYS [LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION [LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth] [LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK [LOCAL] : SENT : USERAUTH_REQUEST [none] [LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password] [LOCAL] : GSS SPN : host@10.10.67.10 [LOCAL] : [GSS/1.2.840.113554.1.2.2] : Authentication could not be started. [LOCAL] : [GSS/1.2.840.113554.1.2.2] : The gssapi provider indicated a failure. Miscellaneous failure (see text) UNKNOWN_SERVER while looking up 'host/10.10.67.10@10.67.10' (cached result, timeout in 394 sec) (negative cache) ............ And this is the OK logs: [LOCAL] : SSH2Core version 7.1.0.244 [LOCAL] : Connecting to 67-10.bjyz.dajie-inc.com:22 ... SecureCRT - Version 7.1.0 (build 244) [LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT [LOCAL] : Using protocol SSH2 [LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.3' [LOCAL] : CAP : Remote can re-key [LOCAL] : CAP : Remote sends language in password change requests [LOCAL] : CAP : Remote sends algorithm name in PK_OK packets [LOCAL] : CAP : Remote sends algorithm name in public key packets [LOCAL] : CAP : Remote sends algorithm name in signatures [LOCAL] : CAP : Remote sends error text in open failure packets [LOCAL] : CAP : Remote sends name in service accept packets [LOCAL] : CAP : Remote includes port number in x11 open packets [LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC [LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages [LOCAL] : CAP : Remote correctly handles unknown SFTP extensions [LOCAL] : CAP : Remote correctly encodes OID for gssapi [LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests [LOCAL] : CAP : Remote can do SFTP version 4 [LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures [LOCAL] : CAP : Remote correctly handles zlib@openssh.com [LOCAL] : GSS : Requesting full delegation [LOCAL] : GSS : [Kerberos] SPN : host@67-10.bjyz.dajie-inc.com [LOCAL] : GSS : Requesting full delegation [LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@67-10.bjyz.dajie-inc.com [LOCAL] : SEND : KEXINIT [LOCAL] : RECV : Read kexinit [LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1 [LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss [LOCAL] : Selected Host Key Algo = ssh-dss [LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [LOCAL] : Selected Send Cipher = aes256-ctr [LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se ........... 
|
|
#2
05-03-2013, 02:01 PM
|
|||
|
|||
|
Hi cuikc,
Thanks for the question. Kerberos is designed to work with a server principle name (SPN) which a fully qualified domain name (FQDN) has, but an IP address does not have. It may be possible to accomplish your goal, but since DNS can be spoofed, and as such poses a security risk, it is not recommended that one use the workaround. If you would like details for the workaround, please send a message to support@vandyke.com with a subject of Attn: Todd - Forum thread #11011. Last edited by rtb; 05-03-2013 at 02:04 PM.
|
|
#3
05-16-2013, 02:28 PM
|
|||
|
|||
|
Hi All,
This problem has been resolved in a pre-release build of SecureCRT. If you are seeing this issue and would like to test it, please send a message to support@vandyke.com with a subject of Attn: Todd - Forum thread #11011.
|
 |
| Tags |
| kerberos |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
