kerberos, hpux 11.11, ssh

Wilson, Michael michael.wilson at diebold.com
Wed May 9 10:53:09 EDT 2007 

CDC,


***KLIST -kte***
[abc]:/var/adm/syslog # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   6 05/08/07 16:12:33 host/abc at KDC.DIEBOLD.COM (DES cbc mode with
RSA-MD5)

***HOSTS FILE***
[abc]:/etc $ cat hosts
#
10.9.1.1        abc
127.0.0.1       localhost       loopback

***KRB5.CONF***
[abc]:/etc # cat krb5.conf
[logging]
 default = FILE:/var/adm/krb5lib.log
 kdc = FILE:/var/adm/krb5kdc.log
 admin_server = FILE:/var/adm/kKDCmind.log

[libdefaults]
 ticket_liftetime = 24000
 default_realm = KDC.DIEBOLD.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5
 ccache_type = 2

[realms]
 KDC.DIEBOLD.COM = {
  kdc = servera.kdc.diebold.com
  kdc = serverb.kdc.diebold.com
  kdc = serverc.kdc.diebold.com
  kdc = serverd.kdc.diebold.com
  KDCmin_server = servera.kdc.diebold.com
  kpasswd_server = servera.kdc.diebold.com
}

[domain_realm]
 .diebold.com = kdc.diebold.com
 diebold.com = kdc.diebold.com

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 } 


The keytab was added earlier and is now in place.
After I read your email I reviewed a few things and here is where we are
now:

We can telnet into 'abc' and we get authenticated via active directory.
When we use ssh to try this we get rejected.
We have tried to find results for this on the internet, but have had
No viable luck.

Any other suggesstions?

-Mike


-----Original Message-----
From: Christopher D. Clausen [mailto:cclausen at acm.org] 
Sent: Tuesday, May 08, 2007 6:28 PM
To: Wilson, Michael
Cc: kerberos at mit.edu
Subject: Re: kerberos, hpux 11.11, ssh

Wilson, Michael <michael.wilson at diebold.com> wrote:
> Hello,
>
> We are running into problems with the installation of Kerberos V5 on 
> and hpux 11.11 machine.
>
> When we try to login using Active Directory Authentication we get the 
> following in our debug.log file:
>
> May  8 09:59:21 PAM: load_function: successful load of 
> pam_sm_authenticate May  8 09:59:21 PAM: pam_set_item(8) May  8 
> 09:59:21 PAM: load_modules: /usr/lib/security/libpam_unix.1 May  8 
> 09:59:41 PAM: pam_set_item(6) May  8 09:59:41 PAM: [Cannot find KDC 
> for requested realm] Unable to verify Kerberos V5 TGT: 
> [abc.diebold.com] May  8 09:59:41 PAM: Kerberos V5 TGT bad: Cannot 
> find KDC for requested realm

Appears that you do not have host keytabs setup.  (Or have them setup
incorrectly.)  You need to use ktpass.exe on Windows to generate host
keytabs for your machines and copy the generated keytabs to the correct
location on the hpux systems.  I'm not sure where that is on HPUX, but
its usually /etc/krb5.keytab (Linux) or /etc/krb5/krb5.keytab (Solaris.)

You also must have a properly configured hostname and /etc/hosts file
for this system, and proper DNS, etc.

What does klist -kte (as root) list?

> May  8 09:59:21 PAM: load_function: successful load of 
> pam_sm_authenticate May  8 09:59:41 PAM: while verifying tgt[Unknown 
> code ____ 255]
>
> We can login using KDC/AD credentials by using kinit.  The ticket gets

> created and is placed in the /tmp directory We verify that there was a

> ticket made and when it will expire by using the klist.  It works as 
> well along with kdestroy.

Kinit doesn't use the host keytab to verify the KDC.  It uses the fact
that the user knows their password.  In order for the hpux machine to
verify that it is communicating with the correct KDC it needs its own
password, in the form of a host keytab.

Do you need to specify the realm name when you kinit?

What does your krb5.conf file look like and what AD realm do you need to
use?

> When we type login from the command prompt to try logging back into 
> the same localhost or another hpux machine we get the same error as 
> mentioned above.
>
> We have Linux machines running RHEL 4 and Kerberos that work just 
> fine.

Is highly likely that your Linux machines are not as secure as they
could be as they probably are NOT verifiying that the KDC they
communicate with is not being spoofed.  You really should have a host
keytab on your Linux machines as well, but for some reason a large
number of Linux vedors default to allowing authentication without the
host keytab.  It seems that real UNIX vendors (Sun for Solaris, IBM for
AIX, etc.) require the host keytab by default and require a
configuration change to ignore the missing keytyab problem.

<<CDC

More information about the Kerberos mailing list