GSSAPI auth and NAT Problems
"Jörg Herzinger"
bowser at fstph.at
Wed Aug 1 09:09:34 EDT 2012
Hi, I am trying to get GSSAPI auth to work and the problem ist that my
kerberos server and the ssh server I want to connect to are behind a nat.
My setup looks like this:
my_laptop -------- virtual_machine_host ----- kerberos & ssh server
(any ip here) 128.131.XX.YY - 10.0.0.1 10.0.0.2 & 10.0.0.3
Port forwads are done by iptables on my virtual-machine-host. Port 22 ist
forwarded to my ssh server. I can get a kerberos ticket easily on my
laptop:
joerg at laptop ~ % kinit joerg
Password for joerg at REAML.AT:
joerg at laptop ~ % klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joerg at REALM.AT
Valid starting Expires Service principal
08/01/12 09:34:39 08/01/12 23:34:39 krbtgt/REALM.AT at REALM.AT
renew until 08/02/12 09:35:00, Flags: FPRI
Addresses: (none)
Connecting to my virtual machine host with gssapi auth also works like
expected but when I try to connect to my ssh server gssapi fails (No valid
Key exchange context) and I am prompted for a password. Connecting via ssh
from my kerberos server to my ssh server internally works too.
The stange thing i found is that even with NO host keytab on my ssh server
I do get a ticket when trying to connect.
joerg at laptop ~ % kinit joerg
Password for joerg at REALM.AT:
joerg at laptop ~ % klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joerg at REALM.AT
Valid starting Expires Service principal
08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/REALM.AT at REALM.AT
renew until 08/02/12 09:47:03, Flags: FPRI
Addresses: (none)
joerg at blackmini ~ % ssh root at virtual-machine-host
Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to
the list of known hosts.
Password:
130 joerg at laptop ~ % klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joerg at REALM.AT
Valid starting Expires Service principal
08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/REALM.AT at REALM.AT
renew until 08/02/12 09:47:03, Flags: FPRI
Addresses: (none)
08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-host@
renew until 08/02/12 09:47:03, Flags: FPRT
Addresses: (none)
08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-host at REALM.AT
renew until 08/02/12 09:47:03, Flags: FPRT
Addresses: (none)
I already read a lot about address less tickets and "rdns=no", but all
this seems way outdated. The config option "extra_addresses" looks
promising but I didn't have success with this either. I am working on
ubuntu laptop 11.04 and ssh server is Debian Squeeze.
Any ideas or further suggestions on what I could try to get this working?
This would be quite important for me.
thanks,
Jörg
More information about the Kerberos
mailing list