kerberos-ssh-problems... (loooooooooooooong)

Zelko Slamaj zelko at fet.at
Mon Aug 5 16:46:05 EDT 2002 

Hi!

I'm trying desperately with a collegue to get kerberos authentification to 
run. But at the moment we're the only ones to run (away). :-)) And we've 
been searching in the net/groups for ... well, a few days.

On the server (Debian woody 3.0-box) we set up kerberos5 with:

ii  krb5-admin-ser 1.2.4-5        Mit Kerberos master server (kadmind)
ii  krb5-config    1.4            Configuration files for Kerberos Version 5
ii  krb5-kdc       1.2.4-5        Mit Kerberos key server (KDC)
ii  krb5-user      1.2.4-5        Basic programs to authenticate using MIT 
Ker
ii  libkrb5-dev    1.2.4-5        Headers and development libraries for MIT 
Ke
ii  libkrb53       1.2.4-5        MIT Kerberos runtime libraries
ii  libpam-krb5    1.0-7          PAM module for MIT Kerberos
ii  openafs-krb5   1.3-8          The AFS distributed filesystem- Kerberos 
5 I
ii  ssh-krb5       3.4p1-0woody1  Secure rlogin/rsh/rcp replacement 
(OpenSSH w


Our Realm is HTU.TUWIEN.AC.AT, we added users (principals?) like this:
K/M at HTU.TUWIEN.AC.AT
admin/admin at HTU.TUWIEN.AC.AT
afs at HTU.TUWIEN.AC.AT
host/klein.htu.tuwien.ac.at at HTU.TUWIEN.AC.AT
host/sputnik.htu.tuwien.ac.at at HTU.TUWIEN.AC.AT
kadmin/admin at HTU.TUWIEN.AC.AT
kadmin/changepw at HTU.TUWIEN.AC.AT
kadmin/history at HTU.TUWIEN.AC.AT
krbtgt/HTU.TUWIEN.AC.AT at HTU.TUWIEN.AC.AT
nussi at HTU.TUWIEN.AC.AT
root/admin at HTU.TUWIEN.AC.AT
ssh/sputnik.htu.tuwien.ac.at at HTU.TUWIEN.AC.AT
zelko at HTU.TUWIEN.AC.AT

on the other box we installed krb5-user and ssh-krb5 (OpenSSH with kerberos 
support). I can get tickets from the server with kinit and I can view them. 
But I can't authenticate to the server with ssh. We turned off password-
authentication and turned on Kerberos-authentification in the sshd-config 
on the server with:

---cut---
# To change Kerberos options
KerberosAuthentication yes 
KerberosOrLocalPasswd yes
##AFSTokenPassing yes 
KerberosTicketCleanup yes

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
---cut---

And when we try to connect it just tries the various methods (external-
keyx), but sends no packet. At least this is what I understand from the 
lines, when I try "ssh -K -vvv user at host". It just says:
---cut---
4250: debug1: authentications that can continue: external-
keyx,gssapi,publickey,password,keyboard-interactive
4250: debug2: we did not send a packet, disable method
4250: debug3: authmethod_lookup publickey
---cut---

We tried also just normal ssh, with/without initial tickets (got by 
kinit),... oh, and yes, of course: kadmin, kdc and krb524kdc are up and 
running. krb5kdc with -4nopreauth and krb524d with -m.

Soooooooooooooo, after all this log-messages (sorry, we're really quite 
desperate, otherwise the mail would be shorter), the big question:

what are we missing/not understanding/obviously doing wrong?
And is there a way to set up those other boxes to authenticate always on 
the kerberos server? When I'm at the login/xdm/remote login-prompt?

Sorry for this long mail. Any help appreciated.
regards
zelko&nussi

More information about the Kerberos mailing list