kerberos, hpux 11.11, ssh

Christopher D. Clausen cclausen at acm.org
Wed May 9 15:11:31 EDT 2007 

Wilson, Michael <michael.wilson at diebold.com> wrote:
> ***KLIST -kte***
> [abc]:/var/adm/syslog # klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    6 05/08/07 16:12:33 host/abc at KDC.DIEBOLD.COM (DES cbc mode with
> RSA-MD5)
>
> ***HOSTS FILE***
> [abc]:/etc $ cat hosts
> #
> 10.9.1.1        abc
> 127.0.0.1       localhost       loopback

Well, I suspect that should be using a FQDN and not just "host/abc"

does kinit -kt /etc/krb5.keytab host/abc
actually work?
(you should not get any messages, and klist should show tickets for the 
host/abc principal.)

> ***KRB5.CONF***
> [abc]:/etc # cat krb5.conf
> [logging]
>  default = FILE:/var/adm/krb5lib.log
>  kdc = FILE:/var/adm/krb5kdc.log
>  admin_server = FILE:/var/adm/kKDCmind.log
>
> [libdefaults]
>  ticket_liftetime = 24000
>  default_realm = KDC.DIEBOLD.COM

Your Windows AD domain is called KDC.DIEBOLD.COM ?  That doesn't sound 
right.

>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
>  default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5

Delete the above two lines.  Hardcoding enctypes is a bad idea and will 
cause you much pain in the future.

> The keytab was added earlier and is now in place.
> After I read your email I reviewed a few things and here is where we
> are now:
>
> We can telnet into 'abc' and we get authenticated via active
> directory. When we use ssh to try this we get rejected.

Authenticated using Kerberos tickets?  OR via typing in a password?

What EXACT error message do you get from SSH?  And is the error message 
actually from SSH itself?  Or from whatever PAM type stuff that hpux 
uses?

> We have tried to find results for this on the internet, but have had
> No viable luck.

try the following:
kdestroy
kinit -f -5 -p <user>@<REALM>
klist -ef
ssh -vvv -o "GSSAPIAuthentication yes" <machine>
(Ctrl-C it if you get a password prompt or if it doesn't work.)
klist -ef
(yes, again, and look for a host/* ticket)

And what does your sshd_config file look like?

<<CDC

More information about the Kerberos mailing list