Kerberos and SSH ?
Ronni Feldt
rofe at one.com
Mon Oct 27 04:47:11 EDT 2008
I'm about to make some central authentication for our linux servers. I
have followed these guides and some of it works, except ssh to the
server.
Guides:
http://www.visolve.com:81/security/ssh_kerberos.php
http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
My test-environment is 3 computers (pc1, pc2 and pc3):
PC2 (Debian Etch)
Installed kerberos and configured realms in /etc/krb5.conf:
[libdefaults]
default_realm = ONE.COM
[realms]
ONE.COM = {
kdc = kerberos.one.com
admin_server = kerberos.one.com
}
Created principals:
host/rofe (the pc which I want to login to via ssh, PC1)
ronni (me)
Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
PC1 (Ubuntu 8.04):
I have installed kerberos and openssh and configured realms
in /etc/krb5.conf
[libdefaults]
default_realm = ONE.COM
[realms]
ONE.COM = {
kdc = kerberos.one.com
admin_server = kerberos.one.com
}
Edited persmissions for /etc/krb5.keytab to:
chmod 600 /etc/krb5.keytab
chown root:root /etc/krb5.keytab
Configured and restarted ssh; /etc/ssh/sshd_config:
# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
Edited firewall-rules and /etc/hosts for communication.
-----
>From PC1 I can do a:
kinit ronni
And verify that I get a ticket with klist.
But it fails when I try to ssh from PC3 to PC1.
On PC2 I have tried to make a:
tcpdump -i eth0 'udp port 88'
And get this:
08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos: v5
08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976:
08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos: v5
08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652:
So they can communicate, but the authentication fails:
The /var/log/auth.log :
PC1 (where I want to login)
Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
192.168.212.254
Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
from 192.168.212.254 port 47098 ssh2
Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
unknown
Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3
Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
from 192.168.212.254 port 47098 ssh2
PC2 (the kerberos server)
Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database
I know my user (ronni) is in the Kerberos database, but still I get
CLIENT_NOT_FOUND, so I may have missed something somewhere.
What I want to achieve is a central user database (Kerberos), and be
able to login on all servers without the need for creating every single
user on every server.
Help :-)
- Ronni
More information about the Kerberos
mailing list