SSH login not working with Kerberos

Question

I am trying to perform SSH login using Kerberos authentication. Instead of Kerberos, password is prompted for login.

There are three computers : client, kdcserver and service (SSHD server). Client is trying to login to service using Kerberos.

Attached are the config files and debug logs from client and service machines (Linux).

Client:

/etc/ssh/ssh_config

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   GSSAPIKeyExchange yes

klist (Tickets) Default principal: root@EXAMPLE.COM

Valid starting       Expires              Service principal
02/12/2021 12:06:02  02/13/2021 12:05:45  host/service.example.com@EXAMPLE.COM
02/12/2021 12:05:45  02/13/2021 12:05:45  krbtgt/EXAMPLE.COM@EXAMPLE.COM

SSH client dbg logs

ssh -vvv  service.example.com
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "service.example.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to service.example.com [172.30.88.107] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0debug1: key_load_public: No such file or directory
debug1: key_load_public: No such file or directory
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to service.example.com:22 as 'root'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from service.example.com
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss,null
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: ciphers ctos: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug3: send packet: type 30
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:+1UAVGrMBTByh3IJ4Ux4mECS8UB2sqSVtmvVduHKw9g
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from service.example.com
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 172.30.88.107
debug1: Host 'service.example.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug2: key: /root/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

Service (SSHD)

sshd_config

[root@service ~]# cat /etc/ssh/sshd_config
#Version 2
Port 22
Protocol 2
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_rsa_key
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG3
LoginGraceTime 60
PermitRootLogin yes
StrictModes yes
MaxAuthTries 3
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
UsePAM yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#GSSAPIKeyExchange no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
Banner /etc/issue.net
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

HostKey /etc/ssh/ssh_host_ecdsa_256_key
HostKey /etc/ssh/ssh_host_ecdsa_384_key
HostKey /etc/ssh/ssh_host_ecdsa_521_key
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com

sshd logs when client tries login to service

Feb 12 12:06:01 NE107 crond[15161]: (root) CMD (test -x /usr/st/bin/recreate-missing-dirs && /usr/st/bin/recreate-missing-dirs)
Feb 12 12:06:11 NE107 sshd[15182]: connect from 10.7.90.199 (10.7.90.199)
Feb 12 12:06:11 NE107 sshd[15182]: debug1: inetd sockets after dupping: 3, 4
Feb 12 12:06:11 NE107 sshd[15182]: Connection from 10.7.90.199 port 59876 on 172.30.88.107 port 22
Feb 12 12:06:11 NE107 sshd[15182]: debug1: Local version string SSH-2.0-OpenSSH_8.0
Feb 12 12:06:11 NE107 sshd[15182]: debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
Feb 12 12:06:11 NE107 sshd[15182]: debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
Feb 12 12:06:11 NE107 sshd[15182]: debug2: fd 3 setting O_NONBLOCK
Feb 12 12:06:11 NE107 sshd[15182]: debug3: fd 4 is O_NONBLOCK
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ssh_sandbox_init: preparing rlimit sandbox
Feb 12 12:06:11 NE107 sshd[15182]: debug2: Network child is on pid 15183
Feb 12 12:06:11 NE107 sshd[15182]: debug3: preauth child monitor started
Feb 12 12:06:11 NE107 sshd[15182]: debug3: privsep user:group 74:74 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: permanently_set_uid: 74/74 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 20 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 20 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: local server KEXINIT proposal [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers ctos: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers stoc: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression ctos: none,zlib@openssh.com [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression stoc: none,zlib@openssh.com [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages ctos:  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages stoc:  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: first_kex_follows 0  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: reserved 0  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: peer client KEXINIT proposal [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha
Feb 12 12:06:11 NE107 sshd[15182]: debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss,null [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages ctos:  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: languages stoc:  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: first_kex_follows 0  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: reserved 0  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: algorithm: ecdh-sha2-nistp256 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 30 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshkey_sign entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 6 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 6
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_sign
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_sign: hostkey proof signature 0x20702500(100)
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 7
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 6 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 7 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 31 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 21 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: set_newkeys: mode 1 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: rekey out after 4294967296 blocks [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 7 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 21 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: set_newkeys: mode 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: rekey in after 4294967296 blocks [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: KEX done [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 5 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 6 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 50 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: userauth-request for user root service ssh-connection method none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: attempt 0 failures 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_getpwnamallow entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 8 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 9 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 8
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pwnamallow
Feb 12 12:06:11 NE107 sshd[15182]: debug2: parse_server_config: config reprocess config len 1061
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 9
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 8 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug2: input_userauth_request: setting up authctxt for root [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_start_pam entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 100 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_inform_authserv entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 4 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_auth2_read_banner entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 10 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 11 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 100
Feb 12 12:06:11 NE107 sshd[15182]: debug1: PAM: initializing for "root"
Feb 12 12:06:11 NE107 sshd[15182]: debug1: PAM: setting PAM_RHOST to "10.7.90.199"
Feb 12 12:06:11 NE107 sshd[15182]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 100 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 4
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_authserv: service=ssh-connection, style=
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 4 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 10
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 11
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 10 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 53 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: userauth_send_banner: sent [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: input_userauth_request: try method none [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ensure_minimum_time_since: elapsed 19.097ms, delaying 7.623ms (requested 6.680ms) [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: eci_userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 51 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: receive packet: type 50 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: attempt 1 failures 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: input_userauth_request: try method keyboard-interactive [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: keyboard-interactive devs  [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: auth2_challenge: user=root devs= [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: auth2_challenge_start: devices pam [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug2: kbdint_next_device: devices <empty> [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_init_ctx [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 104 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 105 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 104
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pam_init_ctx
Feb 12 12:06:11 NE107 sshd[15182]: debug3: PAM: sshpam_init_ctx entering
Feb 12 12:06:11 NE107 sshd[15182]: debug2: sshpam_init_ctx: auth information in SSH_AUTH_INFO_0
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 105
Feb 12 12:06:11 NE107 sshd[15182]: debug2: monitor_read: 104 used once, disabling now
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_query [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 106 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive_expect entering: type 107 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: monitor_read: checking request 106
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_answer_pam_query
Feb 12 12:06:11 NE107 sshd[15182]: debug3: PAM: sshpam_query entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ssh_msg_recv entering
Feb 12 12:06:11 NE107 sshd[15184]: debug3: PAM: sshpam_thread_conv entering, 1 messages
Feb 12 12:06:11 NE107 sshd[15184]: debug3: ssh_msg_send: type 1
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_request_send entering: type 107
Feb 12 12:06:11 NE107 sshd[15182]: debug3: mm_sshpam_query: pam_query returned 0 [preauth]
Feb 12 12:06:11 NE107 sshd[15184]: debug3: ssh_msg_recv entering
Feb 12 12:06:11 NE107 sshd[15182]: debug3: send packet: type 60 [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: debug3: ensure_minimum_time_since: elapsed 13.171ms, delaying 0.189ms (requested 6.680ms) [preauth]
Feb 12 12:06:11 NE107 sshd[15182]: Postponed keyboard-interactive for root from 10.7.90.199 port 59876 ssh2 [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: Connection closed by authenticating user root 10.7.90.199 port 59876 [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: debug1: do_cleanup [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Feb 12 12:06:18 NE107 sshd[15182]: debug1: monitor_read_log: child log fd closed
Feb 12 12:06:18 NE107 sshd[15182]: debug3: mm_request_receive entering
Feb 12 12:06:18 NE107 sshd[15182]: debug1: do_cleanup
Feb 12 12:06:18 NE107 sshd[15182]: debug1: PAM: cleanup
Feb 12 12:06:18 NE107 sshd[15182]: debug3: PAM: sshpam_thread_cleanup entering
Feb 12 12:06:18 NE107 sshd[15182]: debug1: Killing privsep child 15183

krb5.conf

cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
 clockskew = 600

 default_realm = EXAMPLE.COM
 dns_lookup_kdc = false
[realms]
 EXAMPLE.COM = {
  kdc = kdcserver.example.com
  admin_server = kdcserver.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf

GSSAPIAuthentication is set to yes on both client (SSH) and service (SSHD) configurations.

While looking at SSH client debug logs, I noticed the authenticators used are publickey,keyboard-interactive only while gssapi-with-mic is not used (which I believe is used for kerberos, correct me if I am wrong).

debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

Can someone help in analysing the logs and point out why Kerberos login is not working?

Thanks!

On mobile currently so probably missing some of the details in your question but if I read it correctly you’re using the root account for your tests. That makes me wonder if remote root login is normally permitted and working (with a password or key exchange) ; is there a Kerberos principle for the root account ? — Bob, Feb 12 '21 at 12:34
Yes there is a principal configured for root in KDC. `listprincs K/M@EXAMPLE.COM host/service.example.com@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/kdcserver.example.com@EXAMPLE.COM kiprop/kdcserver.example.com@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM root@EXAMPLE.COM` and in sshd PermitRootLogin is set to yes — khopdi, Feb 12 '21 at 12:40
@HermanB I tried with another user - testuser, but similar behavior is seen. ssh still prompts for a password. — khopdi, Feb 12 '21 at 12:53
OK, the sshd_config looks fine, but it doesn't seem like the ssh server is even offering GSSAPI authentication. Is the server actually joined to the Kerberos realm? How was that set up? — Michael Hampton, Feb 12 '21 at 15:34
@MichaelHampton I have krb5.conf file copied from kdcserver to SSH server. I have added krb5.conf file in the question as well. — khopdi, Feb 12 '21 at 15:38
@MichaelHampton Am I missing something here in setting up ssh server to kerberos realm? Enlighten me. — khopdi, Feb 13 '21 at 14:46

SSH login not working with Kerberos

0 Answers0