openssh single-sing-on problem
Klavs Klavsen
kl at vsen.dk
Thu Apr 28 04:19:36 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
I'm working on setting up MIT kerberos environment up for our Unix hosts.
I have a KDC and I can properly configure /etc/pam.d/sshd and
/etc/krb5.conf so I can do a kinit on the KDC and on another host - and
also ssh in with a user that only exists in LDAP (with his password in
the KDC).
Now I want to try to enable single-sign-on using openssh. When trying it
from KDC host to itself, it works fine (after I created a
host/auth01.example.dk principle - which for some reason got a kvno of 2
- - don't know if this matters).
I then add my client (another FreeBSD 5.3 server) as a principal and
copy the relevant entry in the /etc/krb5.keytab to the client.
When I try to ssh login to my auth01 server(the kdc) I get this in the
krb5kdc.log:
Apr 26 15:00:30 auth01.example.dk krb5kdc[34324](info): TGS_REQ (6
etypes {16 5 23 3 2 1}) x.x.x.x: UNKNOWN_SERVER: authtime 1114520337,
ktk at EXAMPLE.DK for krbtgt/PROD.DK.EXAMPLE.NET at EXAMPLE.DK, Server not
found in Kerberos database
But I can't figure out where it gets the PROD.DK.EXAMPLE.NET part from -
it should have read vmwarefbsd5.example.dk - as thats what the forward
and reverse DNS info points to.
I have confirmed that I've got a forwardable ticket on the client
server, before trying to ssh to auth01.
Any hints as to where I can dig, to figure this one out would be very
much appreciated.
Best regards,
Klavs Klavsen
Denmark
- --
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCcJyYPToLeX4GPGIRAiVnAJ4uUBim8j+bhSQTCxgm6AIAwahpZACcDdRE
nwsEqvealzOzZ1DNJFA3FcY=
=ob7b
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list