Kerberos and SSH ?

Ronni Feldt rofe at one.com
Mon Oct 27 04:47:11 EDT 2008 

I'm about to make some central authentication for our linux servers. I
have followed these guides and some of it works, except ssh to the
server.

Guides:
http://www.visolve.com:81/security/ssh_kerberos.php
http://www.alittletooquiet.net/text/kerberos-on-ubuntu/

My test-environment is 3 computers (pc1, pc2 and pc3):

PC2 (Debian Etch)
Installed kerberos and configured realms in /etc/krb5.conf:

[libdefaults]
        default_realm = ONE.COM

[realms]
        ONE.COM = {
                kdc = kerberos.one.com
                admin_server = kerberos.one.com
        }

Created principals:
host/rofe	(the pc which I want to login to via ssh, PC1)
ronni		(me)

Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.

PC1 (Ubuntu 8.04):
I have installed kerberos and openssh and configured realms
in /etc/krb5.conf

[libdefaults]
        default_realm = ONE.COM

[realms]
        ONE.COM = {
                kdc = kerberos.one.com
                admin_server = kerberos.one.com
        }


Edited persmissions for /etc/krb5.keytab to:
chmod 600 /etc/krb5.keytab
chown root:root /etc/krb5.keytab

Configured and restarted ssh; /etc/ssh/sshd_config:
# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

Edited firewall-rules and /etc/hosts for communication.

-----
>From PC1 I can do a:
kinit ronni
And verify that I get a ticket with klist.

But it fails when I try to ssh from PC3 to PC1.
On PC2 I have tried to make a:
tcpdump -i eth0 'udp port 88'

And get this:
08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos:  v5
08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: 
08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos:  v5
08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: 

So they can communicate, but the authentication fails:
The /var/log/auth.log :
PC1 (where I want to login)
Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
192.168.212.254
Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
from 192.168.212.254 port 47098 ssh2
Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
unknown
Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 
Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
from 192.168.212.254 port 47098 ssh2

PC2 (the kerberos server)
Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database


I know my user (ronni) is in the Kerberos database, but still I get
CLIENT_NOT_FOUND, so I may have missed something somewhere.
What I want to achieve is a central user database (Kerberos), and be
able to login on all servers without the need for creating every single
user on every server.


Help :-)

- Ronni

More information about the Kerberos mailing list