Cross-realm authentication: Kerberos or SSH config ?
Jean-Christophe Gay
jean-christophe.gay at dauphine.fr
Fri Feb 24 10:32:43 EST 2012
Hi,
I'm configuring a Kerberos installation. I've got two KDC running. The
first one is in charge of the realm EXAMPLE.COM and the second one is
in charge of ETUD.EXAMPLE.COM.
In order to test this installation I add two ssh-servers to my two
KDCs, one for each realm. They are working. I can obtain a ticket from
one KDC and then ssh the ssh-server of the correct realm without any
difficulty.
To this I add a workstation. My workstation is configured so I can
obtain an EXAMPLE.COM ticket or an ETUD.EXAMPLE.COM one. I can use
these tickets to succesfully connect via ssh on my ssh-servers.
Now I'd like to achive cross-realm authentication. I want that someone
with an EXAMPLE.COM ticket can connect to the ETUD.EXAMPLE.COM
ssh-server. To be sure of what principal to add I tried to connect to
my ssh-server :
debug1: Unspecified GSS failure. Minor code may provide more
information Server krbtgt/ETUD.EXAMPLE.COM at EXAMPLE.COM not found in
Kerberos database
So I added this principal to both KDCs :
kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4"
kadmin: add_principal -kvno 1 -requires_preauth
krbtgt/ETUD.EXAMPLE.COM at EXAMPLE.COM
both with the same password. Then this should be working but here is
the error returned by:
$ kinit -p myuser
Password for myuser at EXAMPLE.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: myuser at EXAMPLE.COM
Valid starting Expires Service principal
02/24/12 15:50:12 02/24/12 21:50:12 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 02/25/12 03:50:12
$ ssh -vv myuser at ssh-serv.etud.example.com
[...]
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password debug1: Next authentication method:
gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password debug2: we sent a gssapi-with-mic
packet, wait for reply debug1: Authentications that can continue:
publickey,gssapi-with-mic,password debug2: we sent a gssapi-with-mic
packet, wait for reply debug1: Authentications that can continue:
publickey,gssapi-with-mic,password debug2: we sent a gssapi-with-mic
packet, wait for reply debug1: Authentications that can continue:
publickey,gssapi-with-mic,password debug2: we did not send a packet,
disable method
debug1: Next authentication method: password
myuser at ssh-serv.etud.example.com's password:
^C
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: myuser at EXAMPLE.COM
Valid starting Expires Service principal
02/24/12 15:50:12 02/24/12 21:50:12 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 02/25/12 03:50:12
02/24/12 16:16:38 02/24/12 21:50:12
krbtgt/ETUD.EXAMPLE.COM at EXAMPLE.COM
renew until 02/25/12 03:50:12
02/24/12 16:16:38 02/24/12 21:50:12
host/ssh-server.etud.example.com at ETUD.EXAMPLE.COM
renew until 02/25/12 03:50:12
So I can obtain the correct tickets, but can't log into the ssh-server
using the SSO functions of Kerberos. Is there anything I did wrong or
missed about my configuration of theses services ? any help would be
appreciated.
Jean-Christophe
More information about the Kerberos
mailing list