Kerberos through a load balancer

Douglas E. Engert deengert at anl.gov
Fri May 30 16:42:02 EDT 2008 


David Konerding wrote:
> Hi folks,
> 
> We have a bunch of hosts that allow password-free ssh logins using kerberos.
> These also run web servers, which use mod_auth_kerb.
> 
> We also have a BigIP load balancer that has a name; when people ssh or web
> access that name, they get round-robin distributed across the cluster.
> The LB supports Layer 3 and Layer 5 transparent proxying to the back end.
> 
> We have noticed that if people log into nodes with their real hostname,
> or web access a url using the real hostname of the server, everything
> works as expected.
> However, attempting to ssh into the load balancer address typically gives:
> 
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Miscellaneous failure
> Unknown code
> 
> debug1: Trying to start again
> 
ssh calls gss_acquire_cred with a service name derived from the host name.

You really want to load balance the ssh sessions?

> 
> And when users try to access the web server through the load balancer:
> 
> Authentication never succeeds and the following mod_auth_kerb error is logged:
>    failed to verify krb5 credentials: Server not found in Kerberos database
>

mod_auth_kerb uses the service principal name derived from ap_get_server_name
unless you set the KrbServiceName with a full principal like HTTP/fqdn at realm.

So the best I can tell for both ssh and mod_auth_kerb you are limited to one
service principal.
(I used to have a mode for the gssapi code to be less restrictive
about the checks, allowing a match for any entry in the keytab
that matched the service and realm.) Don't know if some newer versions
of Kerberos have adding anything like this.

> 
> Logging into the machine through the ssh load balancer shows the IP
> address of the loadbalancer,
> not the IP address of the source ssh machine.
> 
> We did some attempts at putting server keys with the hostname of the
> load balancer into the
> srvtab on each of the servers, but never had any luck.

srvtab is an old term, Do you mean the /etc/krb5.keytab?
Or so you mean the mod_auth_kerb parameter Krb5Keytab <file>

What version of SSH?
What version of Kerberos?
What OS? Some vendors might have a mod like I described above.
What does the mod_auth_kerb parameters look like?

> 
> Any ideas?  I did some low-level tcpdumping and tracing various parts
> of the Kerberos code, and came up with
> some bizarre results for why we are getting failures.

And what are the results?

> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list