Kerberos and SSH ?
Edward Murrell
edward at murrell.co.nz
Mon Oct 27 05:27:11 EDT 2008
Assuming your DNS is set up properly, you'll need to set the host tab's
to have the principal fully qualified domain name, ie
host/rofe.one.com at ONE.COM instead of host/rofe at ONE.COM
You can check if it is by running host against the IP of the hostname.
So assuming rofe.one.com has the IP 10.1.1.1
> host 10.1.2.3
3.2.1.10.in-addr.arpa domain name pointer rofe.one.com.
(Note the the return IP is reversed, which is normal).
Cheers,
Edward
On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> I'm about to make some central authentication for our linux servers. I
> have followed these guides and some of it works, except ssh to the
> server.
>
> Guides:
> http://www.visolve.com:81/security/ssh_kerberos.php
> http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
>
> My test-environment is 3 computers (pc1, pc2 and pc3):
>
> PC2 (Debian Etch)
> Installed kerberos and configured realms in /etc/krb5.conf:
>
> [libdefaults]
> default_realm = ONE.COM
>
> [realms]
> ONE.COM = {
> kdc = kerberos.one.com
> admin_server = kerberos.one.com
> }
>
> Created principals:
> host/rofe (the pc which I want to login to via ssh, PC1)
> ronni (me)
>
> Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
>
> PC1 (Ubuntu 8.04):
> I have installed kerberos and openssh and configured realms
> in /etc/krb5.conf
>
> [libdefaults]
> default_realm = ONE.COM
>
> [realms]
> ONE.COM = {
> kdc = kerberos.one.com
> admin_server = kerberos.one.com
> }
>
>
> Edited persmissions for /etc/krb5.keytab to:
> chmod 600 /etc/krb5.keytab
> chown root:root /etc/krb5.keytab
>
> Configured and restarted ssh; /etc/ssh/sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
>
> Edited firewall-rules and /etc/hosts for communication.
>
> -----
> >From PC1 I can do a:
> kinit ronni
> And verify that I get a ticket with klist.
>
> But it fails when I try to ssh from PC3 to PC1.
> On PC2 I have tried to make a:
> tcpdump -i eth0 'udp port 88'
>
> And get this:
> 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos: v5
> 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976:
> 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos: v5
> 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652:
>
> So they can communicate, but the authentication fails:
> The /var/log/auth.log :
> PC1 (where I want to login)
> Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> 192.168.212.254
> Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> unknown
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3
> Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
>
> PC2 (the kerberos server)
> Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
> krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database
>
>
> I know my user (ronni) is in the Kerberos database, but still I get
> CLIENT_NOT_FOUND, so I may have missed something somewhere.
> What I want to achieve is a central user database (Kerberos), and be
> able to login on all servers without the need for creating every single
> user on every server.
>
>
> Help :-)
>
> - Ronni
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list