When using GSSAPI/Kerberos authentication with SSH, you might encounter errors like:
$ ssh user@server.example.com
debug1: Offering GSSAPI proposal: gssapi-with-mic.krb5
debug1: SSH2_MSG_KEXINIT sent
debug1: GSSAPI authentication failedOr in server logs:
sshd[12345]: gssapi error: Miscellaneous failure (see text)
sshd[12345]: GSSAPI authentication failed for user: Permission deniedGSSAPI (Generic Security Services Application Programming Interface) enables Kerberos single sign-on authentication. Let's diagnose and fix these errors.
Understand GSSAPI SSH Authentication
- 1.GSSAPI SSH authentication:
- 2.Client obtains Kerberos ticket from KDC
- 3.Client offers GSSAPI authentication to SSH server
- 4.Server validates ticket against its own Kerberos principal
- 5.If valid, authentication succeeds without password
Requirements: - Kerberos infrastructure (KDC) - Service principal for SSH server (host/server.example.com) - Client has valid Kerberos ticket - Both sides configured for GSSAPI
Check Client Kerberos Ticket
First, verify you have a valid ticket:
klistOutput should show:
``` Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user@EXAMPLE.COM
Valid starting Expires Service principal 04/03/26 10:00:00 04/03/26 20:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM ```
If no ticket or expired:
kinit user@EXAMPLE.COMEnter your Kerberos password. Then verify:
klistCheck SSH Client GSSAPI Configuration
In ~/.ssh/config or /etc/ssh/ssh_config:
grep -i gssapi ~/.ssh/configEnable GSSAPI:
Host *.example.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yesThe GSSAPIDelegateCredentials yes forwards your ticket to the server.
Check Server GSSAPI Configuration
On the server, check SSHD config:
sudo grep -i gssapi /etc/ssh/sshd_configShould show:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yesIf missing or disabled:
sudo sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication yes/' /etc/ssh/sshd_config
echo "GSSAPICleanupCredentials yes" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshdVerify Server Service Principal
The SSH server needs a Kerberos service principal. Check:
# On KDC or using admin tools
klist -k /etc/krb5.keytabShould show:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ----------
1 host/server.example.com@EXAMPLE.COMIf the principal doesn't exist, create it:
# On KDC
kadmin.local -q "addprinc -randkey host/server.example.com@EXAMPLE.COM"
kadmin.local -q "ktadd host/server.example.com@EXAMPLE.COM"Then copy the keytab to the server:
scp keytab server:/etc/krb5.keytabFix Keytab Permissions
On the server:
ls -la /etc/krb5.keytabShould be readable by sshd:
sudo chown root:root /etc/krb5.keytab
sudo chmod 600 /etc/krb5.keytabSome systems need sshd to read the keytab:
sudo chown root:sshd /etc/krb5.keytab
sudo chmod 640 /etc/krb5.keytabCheck Kerberos Configuration
Both client and server need proper /etc/krb5.conf:
cat /etc/krb5.confShould include:
``` [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true
[realms] EXAMPLE.COM = { kdc = kdc.example.com admin_server = kdc.example.com }
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM ```
Test GSSAPI Authentication
Run SSH with verbose output:
ssh -vvv user@server.example.com 2>&1 | grep -i gssapiLook for:
debug1: Offering GSSAPI proposal: gssapi-with-mic.krb5
debug1: Trying GSSAPI authentication...
debug1: GSSAPI authentication request successfulIf it shows "failed", check the reason.
Common GSSAPI Errors
"No keytab entry found"
The server lacks the service principal keytab:
# Solution: Add principal and create keytab
kadmin -q "addprinc -randkey host/server.example.com"
kadmin -q "ktadd host/server.example.com""Ticket expired"
Your Kerberos ticket expired:
kinit user@EXAMPLE.COM"Server not found in Kerberos database"
Hostname mismatch. The principal must match the server's hostname:
```bash # Check actual hostname hostname -f
# Principal must be host/actual.hostname@REALM ```
If server's hostname is different:
kadmin -q "addprinc -randkey host/actual.hostname.example.com@EXAMPLE.COM""Clock skew too great"
Kerberos requires synchronized clocks:
```bash # Check time difference date ssh server 'date'
# Sync clocks sudo systemctl restart ntp ```
Or manually sync:
sudo date -s "$(ssh kdc 'date')"Check Credential Cache
SSH needs to find your credential cache:
echo $KRB5CCNAMEShould show a path like:
FILE:/tmp/krb5cc_1000If unset but you have a ticket:
export KRB5CCNAME=FILE:/tmp/krb5cc_$(id -u)Enable GSSAPI Key Exchange
For single sign-on during key exchange:
sudo grep GSSAPIKeyExchange /etc/ssh/sshd_configEnable it:
echo "GSSAPIKeyExchange yes" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshdClient side:
Host *.example.com
GSSAPIKeyExchange yesCheck Server Principal Mapping
Some configurations need principal-to-user mapping:
sudo grep -i authfile /etc/ssh/sshd_configOr check AuthorizedPrincipalsFile:
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%uCreate principals file:
echo "user@EXAMPLE.COM" | sudo tee /etc/ssh/auth_principals/userUse Kerberos Username Mapping
If your Kerberos principal differs from local username:
sudo grep -i krb5 /etc/sssd/sssd.confConfigure mapping:
[domain/example.com]
krb5_validate = true
ldap_krb5_init_kdc = trueOr use .k5login:
echo "kerberos_principal@EXAMPLE.COM" > ~/.k5loginTroubleshoot with Kerberos Logs
Check KDC logs:
# On KDC
sudo tail -f /var/log/krb5kdc.logLook for authentication attempts and failures.
Check SSH server logs:
sudo journalctl -u sshd -fTest Raw Kerberos
Test Kerberos independently of SSH:
kinit user@EXAMPLE.COM
kvno host/server.example.com@EXAMPLE.COMIf kvno fails, the service principal is missing or misconfigured.
Resolution Checklist
- 1.Verify Kerberos ticket:
klist - 2.Obtain fresh ticket:
kinit - 3.Enable GSSAPI in SSH client config
- 4.Enable GSSAPI in SSHD config
- 5.Verify server has service principal:
klist -k /etc/krb5.keytab - 6.Fix keytab permissions
- 7.Check
/etc/krb5.confconfiguration - 8.Synchronize clocks
- 9.Set
KRB5CCNAMEenvironment variable - 10.Test with verbose SSH:
ssh -vvv
GSSAPI authentication errors are typically Kerberos infrastructure issues. Start by verifying your ticket, then check the server's service principal and keytab configuration.