我正在尝试连接到名为“test21.my-domain.com”的 ssh 服务器。我需要一张 kerberos 票证才能连接到此主机,因此我进行了以下配置:
Host *
HostName %h.my-domain.com
User my_username
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Include config.d/ssh_config
附加的 ssh_config 包含不带 kerberos 票证的主机,如下所示:
Host ai-buildingblocks ai-buildingblocks.my-domain.com ai-buildingblocks.my-domain.com
User root
GSSAPIDelegateCredentials no
Host ai-marketplace-3 ai-marketplace-3.my-domain.com ai-marketplace-3.my-domain.com
User root
GSSAPIDelegateCredentials no
...
如果我想在本地机器上显示我的 Kerberos 票证,我会得到我的票证:
> klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
01/13/2025 11:20:19 01/13/2025 21:20:19 krbtgt/[email protected]
renew until 01/14/2025 11:20:19, Flags: RIA
01/13/2025 11:20:20 01/13/2025 21:20:19 host/adminssh.my-domain.com@
renew until 01/14/2025 11:20:19, Flags: RAT
Ticket server: host/[email protected]
01/13/2025 11:41:22 01/13/2025 21:20:19 host/test21.my-domain.com@
renew until 01/14/2025 11:20:19, Flags: RAT
Ticket server: host/[email protected]
但是当我连接到主机并执行 klist 时,它只是说没有找到任何凭据,导致出现一堆错误。但是,我已连接到主机,该连接毫无用处,因为我需要 kerberos 票证才能获取我的主目录。以下是一些日志:
> ssh test21 -K -v
OpenSSH_9.9p1, OpenSSL 3.4.0 22 Oct 2024
debug1: Reading configuration data /home/my_username/.ssh/config
debug1: /home/my_username/.ssh/config line 7: Applying options for *
debug1: Reading configuration data /home/my_username/.ssh/config.d/ssh_config
debug1: /home/my_username/.ssh/config.d/ssh_config line 3: include ~/.ssh/ansible_ssh_config matched no files
debug1: /home/my_username/.ssh/config.d/ssh_config line 453: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: Connecting to test21.my-domain.com [aaaa:111:111:aaaa::11] port 22.
debug1: connect to address aaaa:111:111:aaaa::11 port 22: Connection refused
debug1: Connecting to test21.my-domain.com [111.111.111.11] port 22.
debug1: Connection established.
debug1: identity file /home/my_username/.ssh/id_rsa type -1
debug1: identity file /home/my_username/.ssh/id_rsa-cert type -1
debug1: identity file /home/my_username/.ssh/id_ecdsa type -1
debug1: identity file /home/my_username/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/my_username/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/my_username/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/my_username/.ssh/id_ed25519 type -1
debug1: identity file /home/my_username/.ssh/id_ed25519-cert type -1
debug1: identity file /home/my_username/.ssh/id_ed25519_sk type -1
debug1: identity file /home/my_username/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/my_username/.ssh/id_xmss type -1
debug1: identity file /home/my_username/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u4
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to test21.my-domain.com:22 as 'my_username'
debug1: load_hostkeys: fopen /home/my_username/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:abcde
debug1: load_hostkeys: fopen /home/my_username/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'test21.my-domain.com' is known and matches the ED25519 host key.
debug1: Found key in /home/my_username/.ssh/known_hosts:6
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_ext_info_check_ver: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
Authenticated to test21.my-domain.com ([111.111.111.11]:11) using "gssapi-with-mic".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /home/my_username/.ssh/known_hosts for test21.my-domain.com / (none)
debug1: client_input_hostkeys: searching /home/my_username/.ssh/known_hosts2 for test21.my-domain.com / (none)
debug1: client_input_hostkeys: hostkeys file /home/my_username/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: pledge: agent
请注意,我更改了一些数据,例如我的用户名或 ips,因为我认为这些数据是敏感数据。还请注意,服务器配置不是我可以更改的,并且对许多其他人来说都是有效的,所以这一定是我这边的问题。我还使用 vpn 连接到主机,否则我可以使用跳转代理(“adminssh”),但这也不起作用。
那么为什么这不起作用呢?为什么我在 ssh 主机上没有 kerberos 票证?我目前使用的是 arch,ssh 服务器在 debian 上运行。如果您需要更多信息,只要我不认为它们敏感,我随时可以提供。
您本地获得的“krbtgt”票证没有
F(可转发)标志,因此无法委托。在您的 /etc/krb5.conf 中使用
kinit -f或定义[libdefaults] forwardable = yes以获取可转发的 TGT。Kerberos 委派不会直接复制 TGT,它始终会请求 KDC 发出新的“
f可转发”TGT 以供发送。这在一定程度上是出于历史原因,因为很久以前,票据曾经携带允许的 IP 地址列表:初始 TGT 只能由客户端使用;客户端会要求 KDC“请发出可供 TargetServer 使用的 TGT”,如果初始票据不是“可转发的”,KDC 会拒绝这样做。您的服务票证没有
O(OK-as-delegate)标志,因此 Kerberos 客户端软件可能拒绝信任这些服务进行无约束委派。MIT Kerberos 默认不强制执行这一点(尽管它有这样的选项),但将您的
host/*主体标记为受信任的委派仍然是一个好主意——在 MIT Kerberos KDC 中是这样modprinc +ok_as_delegate,在 Active Directory 中它是 dsa.msc 中计算机帐户上的“信任所有服务的委派”选项。