Kerberos and SSH ?

Martin Simovic msimovic at concurrent-thinking.com
Mon Oct 27 06:27:11 EDT 2008 

Hi,

your DNS has to work properly, kerberos is unforgiving there. also, does
your user exist on the server you are trying to log to? you need a
separate mechanism (like LDAP) for user database, kerberos provides only
authentication (not authorization)

M.


On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> I'm about to make some central authentication for our linux servers. I
> have followed these guides and some of it works, except ssh to the
> server.
> 
> Guides:
> http://www.visolve.com:81/security/ssh_kerberos.php
> http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
> 
> My test-environment is 3 computers (pc1, pc2 and pc3):
> 
> PC2 (Debian Etch)
> Installed kerberos and configured realms in /etc/krb5.conf:
> 
> [libdefaults]
>         default_realm = ONE.COM
> 
> [realms]
>         ONE.COM = {
>                 kdc = kerberos.one.com
>                 admin_server = kerberos.one.com
>         }
> 
> Created principals:
> host/rofe	(the pc which I want to login to via ssh, PC1)
> ronni		(me)
> 
> Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
> 
> PC1 (Ubuntu 8.04):
> I have installed kerberos and openssh and configured realms
> in /etc/krb5.conf
> 
> [libdefaults]
>         default_realm = ONE.COM
> 
> [realms]
>         ONE.COM = {
>                 kdc = kerberos.one.com
>                 admin_server = kerberos.one.com
>         }
> 
> 
> Edited persmissions for /etc/krb5.keytab to:
> chmod 600 /etc/krb5.keytab
> chown root:root /etc/krb5.keytab
> 
> Configured and restarted ssh; /etc/ssh/sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> 
> Edited firewall-rules and /etc/hosts for communication.
> 
> -----
> >From PC1 I can do a:
> kinit ronni
> And verify that I get a ticket with klist.
> 
> But it fails when I try to ssh from PC3 to PC1.
> On PC2 I have tried to make a:
> tcpdump -i eth0 'udp port 88'
> 
> And get this:
> 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos:  v5
> 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: 
> 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos:  v5
> 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: 
> 
> So they can communicate, but the authentication fails:
> The /var/log/auth.log :
> PC1 (where I want to login)
> Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> 192.168.212.254
> Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> unknown
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 
> Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> 
> PC2 (the kerberos server)
> Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
> krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database
> 
> 
> I know my user (ronni) is in the Kerberos database, but still I get
> CLIENT_NOT_FOUND, so I may have missed something somewhere.
> What I want to achieve is a central user database (Kerberos), and be
> able to login on all servers without the need for creating every single
> user on every server.
> 
> 
> Help :-)
> 
> - Ronni
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list