Going across a firewall

Mauricio Tavares raubvogel at gmail.com
Tue Sep 6 04:15:35 EDT 2011 

	Feeling rather stupid here. Let's say I have:

o 192.168.1.0/24 (internal)
	o realm DOMAIN.COM
	o kdc.internal.domain.com (192.168.1.100)
		o kdc.conf
			allow-null-ticket-addresses = true
		o host principals for
			o firewall
			o kdc
			o slavelinux
			o externalbox
		o user principal for testuser
		o testuser also local user in kdc
		o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config
	o slavelinux.internal.domain.com (192.168.1.200)
		o testuser local user in slavelinux
		o kdc.keytab with slavelinux's host principal
		o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config
o 192.168.11.0/24 (external)
	o externalbox.domain.com (192.168.11.188)
		o in .ssh/config
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDns yes
  CheckHostIP no
		o testuser local user in externalbox
		o kdc.keytab with externalbox's host principal
		o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config
o Firewall
	o firewall.domain.com 192.168.11.10
	o firewall.internal.domain.com 192.168.1.1
	o port 88 (tcp/udp) forwarded to kdc
	o port 22 (tcp) forwarded to kdc

Creating a ticket on slavelinux as testuser and then ssh'ing to kdc
works fine. So, as testuser at externalbox, I do

testuser at externalbox:~$ kinit -f -A -p testuser
Password for testuser at DOMAIN.COM:
testuser at externalbox:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: testuser at DOMAIN.COM

Valid starting     Expires            Service principal
09/06/11 04:06:40  09/06/11 14:06:40  krbtgt/DOMAIN.COM at DOMAIN.COM
        renew until 09/07/11 04:06:34
09/06/11 04:08:45  09/06/11 14:06:40  host/firewall.domain.com at DOMAIN.COM
        renew until 09/07/11 04:06:34
testuser at externalbox:~$

The log file in kdc shows the authentication taking place:

Sep  6 04:06:34 kdc krb5kdc[13460]: AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.11.188: NEEDED_PREAUTH: testuser at DOMAIN.COM for
krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
Sep  6 04:06:40 kdc krb5kdc[13460]: AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=23 tkt=18
ses=18}, testuser at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM

Now, when I try to ssh from externalbox to the kdc, it seems that
gssapi-with-mic isn't working:

testuser at externalbox:~$ ssh -K -vvv testuser at firewall.domain.com
[...]
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.11.121.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testuser/.ssh/id_rsa
debug3: no such identity: /home/testuser/.ssh/id_rsa
debug1: Trying private key: /home/testuser/.ssh/id_dsa
debug3: no such identity: /home/testuser/.ssh/id_dsa
debug1: Trying private key: /home/testuser/.ssh/id_ecdsa
debug3: no such identity: /home/testuser/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
testuser at firewall's password:

What am I missing here?  The kdc log file tells me that

Sep  6 04:08:45 kdc krb5kdc[13460]: TGS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18
ses=18}, testuser at DOMAIN.COM for host/firewall.domain.com at DOMAIN.COM

More information about the Kerberos mailing list