The project involves developing a secure authentication system using GSSAPI for a client-server connection, with the aim to operate everything locally on a single machine using Kerberos. The system is designed to securely manage sessions between a client and a server, both running on the same local machine, listening on port 2222.

Encountered Issues:

Lack of Connectivity: Despite the server being configured to accept connections on port 2222, no connection attempts from the client were detected. This suggested possible configuration errors on the client or issues related to the local network setup.

GSSAPI Authentication Errors: Repeated “Failed to complete GSSAPI step: 0” errors indicated difficulties in the GSSAPI authentication process, suggesting potential problems with Kerberos configuration or errors in the security settings between the client and server.

Kerberos Configuration and Setup: We identified that the Kerberos configurations might not have been set up correctly. Difficulties using kinit and the lack of appropriate keytabs for the principals indicated issues in configuring the realm and managing Kerberos principals.

Actions Taken:

Verification and Configuration of Kerberos Logs: We configured the krb5.conf file to log detailed operations, allowing us to better monitor activities and identify errors during authentication.

Basic Connectivity and Authentication Testing: Basic tests using ping, telnet, and nc were conducted to confirm the ability to connect to the server on the specified port, directly from the same machine. This was crucial to ensure that the issue did not stem from the local network.

Code Analysis and Debugging: We reviewed the code for both the client and server to ensure that the connection endpoints and authentication parameters were correct and consistent with Kerberos configurations.

ssh_server.py

import socket
import kerberos
import logging
import subprocess

def authenticate_user():
    service = "host/localhost@LOCALHOST"
    rc, context = kerberos.authGSSServerInit(service)
    if rc != kerberos.AUTH_GSS_COMPLETE:
        raise Exception("Failed to initialize GSSAPI context")
    
    try:
        rc = kerberos.authGSSServerStep(context, "")
        if rc != kerberos.AUTH_GSS_COMPLETE:
            raise Exception("Failed to complete GSSAPI step")
        
        rc, user = kerberos.authGSSServerUserName(context)
        if rc != kerberos.AUTH_GSS_COMPLETE:
            raise Exception("Failed to retrieve user name")
        
        return user
    finally:
        kerberos.authGSSServerClean(context)

def handle_client(client_socket):
    try:
        user = authenticate_user()
        if user == "root":
            client_socket.send(b"Benvenuto root! Hai pieno accesso al sistema.n")
            shell = "/bin/bash"
        elif user in ["samu", "angelo"]:
            client_socket.send(b"Benvenuto! Hai accesso limitato al sistema.n")
            shell = "/bin/rbash"
        else:
            client_socket.send(b"Autenticazione fallitan")
            client_socket.close()
            return

        process = subprocess.Popen(shell, stdin=client_socket.fileno(), stdout=client_socket.fileno(), stderr=client_socket.fileno(), shell=True)
        process.wait()
        
    except Exception as e:
        logging.error(f"Errore di autenticazione: {e}")
        client_socket.send(f"Errore di autenticazione: {e}n".encode())
    finally:
        client_socket.close()

def main():
    logging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(levelname)s - %(message)s')
    
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind(("0.0.0.0", 2222))
    server.listen(5)
    logging.info("Server in ascolto sulla porta 2222")
    
    while True:
        client_socket, addr = server.accept()
        logging.info(f"Connessione accettata da {addr}")
        handle_client(client_socket)

if __name__ == "__main__":
    main()

ssh_client.py

import kerberos
import socket
import logging
import subprocess

def authenticate_user():
    service = "host/localhost@LOCALHOST"
    rc, context = kerberos.authGSSClientInit(service)
    if rc != kerberos.AUTH_GSS_COMPLETE:
        raise Exception(f"Failed to initialize GSSAPI context: {rc}")

    try:
        rc = kerberos.authGSSClientStep(context, "")
        if rc != kerberos.AUTH_GSS_COMPLETE:
            raise Exception(f"Failed to complete GSSAPI step: {rc}")

        rc, user = kerberos.authGSSClientUserName(context)
        if rc != kerberos.AUTH_GSS_COMPLETE:
            raise Exception(f"Failed to retrieve user name: {rc}")
        
        return user
    finally:
        kerberos.authGSSClientClean(context)

def main():
    logging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(levelname)s - %(message)s')
    
    try:
        user = authenticate_user()
        logging.info(f"Authenticated as {user}")
        
        server_address = ('localhost', 2222)
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect(server_address)
        logging.info(f"Connected to {server_address}")

        try:
            if user == "root":
                sock.sendall(b"Benvenuto root! Hai pieno accesso al sistema.n")
            elif user in ["samu", "angelo"]:
                sock.sendall(b"Benvenuto! Hai accesso limitato al sistema.n")
            else:
                sock.sendall(b"Autenticazione fallitan")
                logging.error("Authentication failed")
                sock.close()
                return

            while True:
                data = sock.recv(1024)
                if not data:
                    break
                print(data.decode('utf-8'), end='')

        finally:
            logging.info("Closing the connection")
            sock.close()

    except Exception as e:
        logging.error(f"Errore di autenticazione: {e}")
        print(f"Errore di autenticazione: {e}")

if __name__ == "__main__":
    main()

kdc.conf

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    LOCALHOST = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 24h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
    }

krb5.conf

[libdefaults]
    default_realm = LOCALHOST
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des3-cbc-sha1
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des3-cbc-sha1
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des3-cbc-sha1

[realms]
    LOCALHOST = {
        kdc = localhost
        admin_server = localhost
    }

[domain_realm]
    .localhost = LOCALHOST
    localhost = LOCALHOST

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

error:

python3 ssh_client.py          
2024-07-14 20:29:50,998 - DEBUG - Initializing GSSAPI context
2024-07-14 20:29:50,998 - DEBUG - Starting GSSAPI client step
2024-07-14 20:29:50,999 - DEBUG - GSSAPI client step result: 0
2024-07-14 20:29:50,999 - ERROR - Errore di autenticazione: Failed to complete GSSAPI step: 0
Errore di autenticazione: Failed to complete GSSAPI step: 0

please help me !! Thank you in advance !!

I wrote everything above, I hope I was clear with the description