krb5_get_init_creds_password: Decrypt integrity check failed (KRB5 Debugging on Ubuntu Linux)

[Brian Candler]

On Mon, Apr 11, 2011 at 10:59:16AM +0000, Traiano Welcome wrote:
> I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos
> client with our current kerberos infrastructure.  I would like users to
> authenticate ssh logins to the system using kerberos, and so I'm using the
> pam_krb5 pam module.

You don't need pam_krb5 to perform ssh authentication using kerberos.
(Indeed, I was under the impression that pam_krb5 did only *password*
authentication, checking the password against the KDC and getting a Kerberos
TGT as a side effect - but I could be wrong)

Anyway, if you want ssh to be authenticated using kerberos, just do the
following.

Client side: edit /etc/ssh/ssh_config, under Host * set

    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes       (*)

(Don't set "KerberosAuthentication yes"; this means regular password
authentication, but with the password checked against the KDC)

Server side: edit /etc/ssh/sshd_config, set

GSSAPIAuthentication yes
GSSAPIKeyExchange yes    (*)

plus all the usual Kerberos stuff:
- create a host key in the KDC
- extract the key to /etc/krb5.keytab
- forward and reverse DNS is correct
- realm to KDC mapping either in DNS or in /etc/krb5.conf
- domain to realm mapping either in DNS or in /etc/krb5.conf

HTH,

Brian.

(*) This is not strictly necessary for regular Kerberos authentication. 
However the 'KeyExchange' variant of the protocol uses Kerberos for mutual
authentication; this eliminates the use of .ssh/known_hosts and the
prompting for unknown host keys.