GSSAPI auth and NAT Problems

"Jörg Herzinger" bowser at fstph.at
Wed Aug 1 09:09:34 EDT 2012 

Hi, I am trying to get GSSAPI auth to work and the problem ist that my
kerberos server and the ssh server I want to connect to are behind a nat.
My setup looks like this:

my_laptop -------- virtual_machine_host ----- kerberos & ssh server
(any ip here)    128.131.XX.YY - 10.0.0.1     10.0.0.2 & 10.0.0.3

Port forwads are done by iptables on my virtual-machine-host. Port 22 ist
forwarded to my ssh server. I can get a kerberos ticket easily on my
laptop:
joerg at laptop ~ % kinit joerg
Password for joerg at REAML.AT:
joerg at laptop ~ % klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joerg at REALM.AT

Valid starting     Expires            Service principal
08/01/12 09:34:39  08/01/12 23:34:39  krbtgt/REALM.AT at REALM.AT
	renew until 08/02/12 09:35:00, Flags: FPRI
	Addresses: (none)

Connecting to my virtual machine host with gssapi auth also works like
expected but when I try to connect to my ssh server gssapi fails (No valid
Key exchange context) and I am prompted for a password. Connecting via ssh
from my kerberos server to my ssh server internally works too.
The stange thing i found is that even with NO host keytab on my ssh server
I do get a ticket when trying to connect.

joerg at laptop ~ % kinit joerg
Password for joerg at REALM.AT:
joerg at laptop ~ % klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joerg at REALM.AT

Valid starting     Expires            Service principal
08/01/12 09:46:42  08/01/12 23:46:42  krbtgt/REALM.AT at REALM.AT
	renew until 08/02/12 09:47:03, Flags: FPRI
	Addresses: (none)
joerg at blackmini ~ % ssh root at virtual-machine-host
Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to
the list of known hosts.
Password:

130 joerg at laptop ~ % klist -af
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joerg at REALM.AT

Valid starting     Expires            Service principal
08/01/12 09:46:42  08/01/12 23:46:42  krbtgt/REALM.AT at REALM.AT
	renew until 08/02/12 09:47:03, Flags: FPRI
	Addresses: (none)
08/01/12 09:46:57  08/01/12 23:46:42  host/virtual-machine-host@
	renew until 08/02/12 09:47:03, Flags: FPRT
	Addresses: (none)
08/01/12 09:46:57  08/01/12 23:46:42  host/virtual-machine-host at REALM.AT
	renew until 08/02/12 09:47:03, Flags: FPRT
	Addresses: (none)

I already read a lot about address less tickets and "rdns=no", but all
this seems way outdated. The config option "extra_addresses" looks
promising but I didn't have success with this either. I am working on
ubuntu laptop 11.04 and ssh server is Debian Squeeze.
Any ideas or further suggestions on what I could try to get this working?
This would be quite important for me.

thanks,
    Jörg

More information about the Kerberos mailing list