GSSAPI auth and NAT Problems

Douglas E. Engert deengert at anl.gov
Wed Aug 8 09:32:41 EDT 2012



On 8/7/2012 11:12 PM, Jeremy Hunt wrote:
>
> Reverse the order of aliases for the IP address in your /etc/hosts file.
> The first named alias is used for your ticket generation. This is a
> common problem with short and FQDNs in /etc/hosts.


Then ssh to ssh.lan.com would work, but not ssh to kerberos.lan.com
as the forward lookup finds the IP then the reverse finds the
first name for that IP number.

GSSAPIServerIdentity option looks like the solution if the ssh supports it.


>
> Mauricio Tavares wrote:
>> On 08/01/2012 11:04 AM, Douglas E. Engert wrote:
>>>
>>> On 8/1/2012 8:09 AM, "Jörg Herzinger" wrote:
>>>> Hi, I am trying to get GSSAPI auth to work and the problem ist that my
>>>> kerberos server and the ssh server I want to connect to are behind a nat.
>>>> My setup looks like this:
>>>>
>>>> my_laptop -------- virtual_machine_host ----- kerberos & ssh server
>>>> (any ip here)    128.131.XX.YY - 10.0.0.1     10.0.0.2 & 10.0.0.3
>>>>
>>>> Port forwads are done by iptables on my virtual-machine-host. Port 22 ist
>>>> forwarded to my ssh server. I can get a kerberos ticket easily on my
>>>> laptop:
>>>> joerg at laptop ~ % kinit joerg
>>>> Password for joerg at REAML.AT:
>>>> joerg at laptop ~ % klist -af
>>>> Ticket cache: FILE:/tmp/krb5cc_1000
>>>> Default principal: joerg at REALM.AT
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 08/01/12 09:34:39  08/01/12 23:34:39  krbtgt/REALM.AT at REALM.AT
>>>> 	renew until 08/02/12 09:35:00, Flags: FPRI
>>>> 	Addresses: (none)
>>>>
>>>> Connecting to my virtual machine host with gssapi auth also works like
>>>> expected but when I try to connect to my ssh server gssapi fails (No valid
>>>> Key exchange context) and I am prompted for a password. Connecting via ssh
>>>> from my kerberos server to my ssh server internally works too.
>>>> The stange thing i found is that even with NO host keytab on my ssh server
>>>> I do get a ticket when trying to connect.
>>>>
>>>> joerg at laptop ~ % kinit joerg
>>>> Password for joerg at REALM.AT:
>>>> joerg at laptop ~ % klist -af
>>>> Ticket cache: FILE:/tmp/krb5cc_1000
>>>> Default principal: joerg at REALM.AT
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 08/01/12 09:46:42  08/01/12 23:46:42  krbtgt/REALM.AT at REALM.AT
>>>> 	renew until 08/02/12 09:47:03, Flags: FPRI
>>>> 	Addresses: (none)
>>>> joerg at blackmini ~ % ssh root at virtual-machine-host
>>>> Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to
>>>> the list of known hosts.
>>>> Password:
>>>>
>>>> 130 joerg at laptop ~ % klist -af
>>>> Ticket cache: FILE:/tmp/krb5cc_1000
>>>> Default principal: joerg at REALM.AT
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 08/01/12 09:46:42  08/01/12 23:46:42  krbtgt/REALM.AT at REALM.AT
>>>> 	renew until 08/02/12 09:47:03, Flags: FPRI
>>>> 	Addresses: (none)
>>>> 08/01/12 09:46:57  08/01/12 23:46:42  host/virtual-machine-host@
>>>> 	renew until 08/02/12 09:47:03, Flags: FPRT
>>>> 	Addresses: (none)
>>>> 08/01/12 09:46:57  08/01/12 23:46:42  host/virtual-machine-host at REALM.AT
>>>> 	renew until 08/02/12 09:47:03, Flags: FPRT
>>>> 	Addresses: (none)
>>>>
>>>> I already read a lot about address less tickets and "rdns=no", but all
>>>> this seems way outdated. The config option "extra_addresses" looks
>>>> promising but I didn't have success with this either. I am working on
>>>> ubuntu laptop 11.04 and ssh server is Debian Squeeze.
>>>> Any ideas or further suggestions on what I could try to get this working?
>>>> This would be quite important for me.
>>> The above ticket is only good for  services on virtual-machine-host.
>>> But the service is on ssh-server
>>>
>>> Kerberos uses hostnames in tickets, not IP. So what is the host name
>>> of your ssh-server at 10.0.0.3? Sounds like you already have a principal
>>> for it in the KDC and a keytab.
>>>
>>> You will then need to tell your laptop, that the IP number for the
>>> ssh-server is the same as the virtual-machine-host, so the ssh client
>>> will get a ticket based on the name and ssh will make the TCP
>>> connection to the IP and port to the virtual-machine-host that will
>>> route to the ssh-server.
>>> The both the client and ssh-server will be using the same name
>>> for the prinbcipal.
>>>
>>> Running with ssh -v -v -v  and sshd -d -d -d
>>> will give debug info.
>>>
>>> You may want to assign a forwarded ssh port for each of your
>>> back end servers, and leave 22 for the virtual-machine-host.
>>> You could then ssh to any of them from your laptop.
>>>
>>> Your laptop will then have to use a name and port for each.
>>> The /etc/hosts file will have all the names mapping to the
>>> IP of the virtual-machine-host.
>>> ~.ssh/config could add the port.
>>>
>> 	Correct me if I am wrong but what you are saying is to put in
>> /etc/hosts (using the OP's example)
>>
>> 128.131.XX.YY	kerberos.lan.com ssh.lan.com
>>
>> I tried that and when I did
>>
>> kinit -fAp
>> ssh -vvv -p 1234 -o GSSAPITrustDNS=no ssh.lan.com
>>
>> ssh acted like it was trying to authenticate against kerberos.lan.com,
>> not ssh.lan.com.
>>
>>>> thanks,
>>>>         Jörg
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




More information about the Kerberos mailing list