remote login is not permited

sam samwun at hgcbroadband.com
Fri Jun 4 01:42:28 EDT 2004 

Hi,

I m using Heimdal Kerberos 5. After the setup and configured the KDC by 
following the instruction on 
http://netbsd.binarycompass.org/Documentation/network/

telnet -ax and ssh to the KDC server is working, shown as below:
root at fbsd [1:33pm] [/var/heimdal]# telnet -ax fbsd.rock.com
Trying 192.168.1.1...
Connected to fbsd.rock.com.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/fbsd.rock.com at ROCK.COM)... ]
[ Kerberos V5 accepts you as ``root at ROCK.COM'' ]


Now I m getting error if I want to login a remote host. The error from 
ssh is as below (as displayed at its console):

Failed password for sam from 192.l68.1.1 (192.168.1.1 is the KDC server).

/etc/krb4kdc.log shown:
2004-06-04T13:24:53 AS-REQ sam at ROCK.COM from IPv4:192.168.1.254 for 
krbtgt/ROCK.COM at ROCK.COM
2004-06-04T13:24:53 Using des3-cbc-sha1/des3-cbc-sha1
2004-06-04T13:24:53 sending 584 bytes to IPv4:192.168.1.254
2004-06-04T13:24:53 TGS-REQ sam at ROCK.COM from IPv4:192.168.1.254 for 
host/sec.rock.com at ROCK.COM
2004-06-04T13:24:53 sending 589 bytes to IPv4:192.168.1.254
There is no error message here, only indicate KDC had sent TG to the 
remote host (192.168.1.254).

I have added principals for 192.168.1.254 (sec.rock.com):
root at fbsd [1:33pm] [/var/heimdal]# !k
ktutil list
FILE:/etc/krb5.keytab:

Vno  Type           Principal
   1  des-cbc-crc    host/fbsd.rock.com at ROCK.COM
   1  des-cbc-md4    host/fbsd.rock.com at ROCK.COM
   1  des-cbc-md5    host/fbsd.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/fbsd.rock.com at ROCK.COM
   1  des-cbc-crc    host/sec.rock.com at ROCK.COM
   1  des-cbc-md4    host/sec.rock.com at ROCK.COM
   1  des-cbc-md5    host/sec.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/sec.rock.com at ROCK.COM
   1  des-cbc-crc    host/kerberos.rock.com at ROCK.COM
   1  des-cbc-md4    host/kerberos.rock.com at ROCK.COM
   1  des-cbc-md5    host/kerberos.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/kerberos.rock.com at ROCK.COM
   1  des-cbc-crc    host/redhat.rock.com at ROCK.COM
   1  des-cbc-md4    host/redhat.rock.com at ROCK.COM
   1  des-cbc-md5    host/redhat.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/redhat.rock.com at ROCK.COM
   1  des-cbc-crc    root/fbsd.rock.com at ROCK.COM
   1  des-cbc-md4    root/fbsd.rock.com at ROCK.COM
   1  des-cbc-md5    root/fbsd.rock.com at ROCK.COM
   1  des3-cbc-sha1  root/fbsd.rock.com at ROCK.COM
   1  des-cbc-crc    host/kerberos.rock.com at ROCK.COM
   1  des-cbc-md4    host/kerberos.rock.com at ROCK.COM
   1  des-cbc-md5    host/kerberos.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/kerberos.rock.com at ROCK.COM
   1  des-cbc-crc    root/kerberos.rock.com at ROCK.COM
   1  des-cbc-md4    root/kerberos.rock.com at ROCK.COM
   1  des-cbc-md5    root/kerberos.rock.com at ROCK.COM
   1  des3-cbc-sha1  root/kerberos.rock.com at ROCK.COM
   1  des-cbc-crc    root/sec.rock.com at ROCK.COM
   1  des-cbc-md4    root/sec.rock.com at ROCK.COM
   1  des-cbc-md5    root/sec.rock.com at ROCK.COM
   1  des3-cbc-sha1  root/sec.rock.com at ROCK.COM
   1  des-cbc-crc    host/sec.rock.com at ROCK.COM
   1  des-cbc-md4    host/sec.rock.com at ROCK.COM
   1  des-cbc-md5    host/sec.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/sec.rock.com at ROCK.COM
   1  des-cbc-crc    host/sec.rock.com at ROCK.COM
   1  des-cbc-md4    host/sec.rock.com at ROCK.COM
   1  des-cbc-md5    host/sec.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/sec.rock.com at ROCK.COM
   1  des-cbc-crc    host/sec.rock.com at ROCK.COM
   1  des-cbc-md4    host/sec.rock.com at ROCK.COM
   1  des-cbc-md5    host/sec.rock.com at ROCK.COM
   1  des3-cbc-sha1  host/sec.rock.com at ROCK.COM

krb4:/etc/srvtab:

Vno  Type         Principal
   1  des-cbc-md5  host/kerberos.rock.com at ROCK.COM
   1  des-cbc-md4  host/kerberos.rock.com at ROCK.COM
   1  des-cbc-crc  host/kerberos.rock.com at ROCK.COM
   1  des-cbc-md5  root/kerberos.rock.com at ROCK.COM
   1  des-cbc-md4  root/kerberos.rock.com at ROCK.COM
   1  des-cbc-crc  root/kerberos.rock.com at ROCK.COM
root at fbsd [1:33pm] [/var/heimdal]#

One thing I don't understand is there are multiple entries are all the 
same, for example entries for host/sec.rock.com. And I don't why I got 
the /etc/srvtab entries as well. Can I safely remote the file /etc/srvtab?

So what might be wrong for causing the problem of login a rmeote client 
fail when using Kerberos 5?

Thanks
sam

More information about the Kerberos mailing list