GSSAPI auth and NAT Problems

Douglas E. Engert deengert at anl.gov
Wed Aug 1 11:04:48 EDT 2012 


On 8/1/2012 8:09 AM, "Jörg Herzinger" wrote:
> Hi, I am trying to get GSSAPI auth to work and the problem ist that my
> kerberos server and the ssh server I want to connect to are behind a nat.
> My setup looks like this:
>
> my_laptop -------- virtual_machine_host ----- kerberos & ssh server
> (any ip here)    128.131.XX.YY - 10.0.0.1     10.0.0.2 & 10.0.0.3
>
> Port forwads are done by iptables on my virtual-machine-host. Port 22 ist
> forwarded to my ssh server. I can get a kerberos ticket easily on my
> laptop:
> joerg at laptop ~ % kinit joerg
> Password for joerg at REAML.AT:
> joerg at laptop ~ % klist -af
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: joerg at REALM.AT
>
> Valid starting     Expires            Service principal
> 08/01/12 09:34:39  08/01/12 23:34:39  krbtgt/REALM.AT at REALM.AT
> 	renew until 08/02/12 09:35:00, Flags: FPRI
> 	Addresses: (none)
>
> Connecting to my virtual machine host with gssapi auth also works like
> expected but when I try to connect to my ssh server gssapi fails (No valid
> Key exchange context) and I am prompted for a password. Connecting via ssh
> from my kerberos server to my ssh server internally works too.
> The stange thing i found is that even with NO host keytab on my ssh server
> I do get a ticket when trying to connect.
>
> joerg at laptop ~ % kinit joerg
> Password for joerg at REALM.AT:
> joerg at laptop ~ % klist -af
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: joerg at REALM.AT
>
> Valid starting     Expires            Service principal
> 08/01/12 09:46:42  08/01/12 23:46:42  krbtgt/REALM.AT at REALM.AT
> 	renew until 08/02/12 09:47:03, Flags: FPRI
> 	Addresses: (none)
> joerg at blackmini ~ % ssh root at virtual-machine-host
> Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to
> the list of known hosts.
> Password:
>
> 130 joerg at laptop ~ % klist -af
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: joerg at REALM.AT
>
> Valid starting     Expires            Service principal
> 08/01/12 09:46:42  08/01/12 23:46:42  krbtgt/REALM.AT at REALM.AT
> 	renew until 08/02/12 09:47:03, Flags: FPRI
> 	Addresses: (none)
> 08/01/12 09:46:57  08/01/12 23:46:42  host/virtual-machine-host@
> 	renew until 08/02/12 09:47:03, Flags: FPRT
> 	Addresses: (none)
> 08/01/12 09:46:57  08/01/12 23:46:42  host/virtual-machine-host at REALM.AT
> 	renew until 08/02/12 09:47:03, Flags: FPRT
> 	Addresses: (none)
>

> I already read a lot about address less tickets and "rdns=no", but all
> this seems way outdated. The config option "extra_addresses" looks
> promising but I didn't have success with this either. I am working on
> ubuntu laptop 11.04 and ssh server is Debian Squeeze.
> Any ideas or further suggestions on what I could try to get this working?
> This would be quite important for me.

The above ticket is only good for  services on virtual-machine-host.
But the service is on ssh-server

Kerberos uses hostnames in tickets, not IP. So what is the host name
of your ssh-server at 10.0.0.3? Sounds like you already have a principal
for it in the KDC and a keytab.

You will then need to tell your laptop, that the IP number for the
ssh-server is the same as the virtual-machine-host, so the ssh client
will get a ticket based on the name and ssh will make the TCP
connection to the IP and port to the virtual-machine-host that will
route to the ssh-server.
The both the client and ssh-server will be using the same name
for the prinbcipal.

Running with ssh -v -v -v  and sshd -d -d -d
will give debug info.

You may want to assign a forwarded ssh port for each of your
back end servers, and leave 22 for the virtual-machine-host.
You could then ssh to any of them from your laptop.

Your laptop will then have to use a name and port for each.
The /etc/hosts file will have all the names mapping to the
IP of the virtual-machine-host.
~.ssh/config could add the port.

>
> thanks,
>      Jörg
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list