Problems with SSH-GSSAPI ticket authentication and NAT

nomike nomike at fstph.at
Wed Jan 2 07:16:36 EST 2013 

Hi!

Sorry for writing such a large email but the problem I'm facing seems to
be rather complex.

---+ Abstract
I've got a Server which is running multiple VM's. When I'm trying to logon
to an internal VM with a port forward to the VM's ssh-port GSSAPI
authentication fails. However it succeeds if I try this from a VM.

---+ Setup
The Host has two network bridges:

"br0" - Connected to the outside world with IP 1.2.3.4/24
and
"virbr0" - Virtual Network for the VM's with IP 10.20.30.1/24

Relevant for this problem are:
The Host:
myhost.externaldomain.com (br0: 1.2.3.4/24, virbr0: 10.20.30.1/24)

3 VM's:
kerberos.internaldomain.com (10.20.30.5/24),
ssh.internaldomain.com (10.20.30.2/24),
backup.internaldomain.com (10.20.30.3/24)

And one external Host:
someexternal.externaldomain.com (1.2.3.5/24).

There are portforwards from 1.2.3.4:22 to 10.20.30.2:22 and from
10.20.30.1:22 to 10.20.30.2:22.

My pricipal is contained in /root/.k5login on all of the machines.
---+ Problem description
---++ What works
I'm on backup.internaldomain.com and I aquire a ticket:

---SNIP---
$ kinit nomike
$ klist
Ticket cache: FILE:/tmp/krb5cc_1117
Default principal: nomike at INTERNALDOMAIN.COM

Valid starting    Expires           Service principal
02/01/2013 13:00  03/01/2013 03:00 
krbtgt/INTERNALDOMAIN.COM at INTERNALDOMAIN.COM
	renew until 03/01/2013 13:01
---SNAP---

My ".ssh/config" contains:

---SNIP---
Host backup.ssh.internaldomain.com
	Hostname 1.2.3.4
	Port 22
	GSSAPIServerIdentity ssh.internaldomain.com
---SNAP---
When I ssh to "backup.ssh.internaldomain.com" gssapi-mic succeeds and i
get the following TGS:
---SNIP---
02/01/2013 13:03  03/01/2013 03:00  host/ssh.internaldomain.com@
	renew until 03/01/2013 13:01
02/01/2013 13:03  03/01/2013 03:00 
host/ssh.internaldomain.com at INTERNALDOMAIN.COM
	renew until 03/01/2013 13:01
---SNAP---

---++ This doesn't work
I'm now on someexternal.externaldomain.com.

---SNIP---
$ kinit nomike
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nomike at INTERNALDOMAIN.COM

Valid starting    Expires           Service principal
02/01/2013 13:06  03/01/2013 03:06 
krbtgt/INTERNALDOMAIN.COM at INTERNALDOMAIN.COM
	renew until 03/01/2013 13:09
---SNAP---

The ".ssh/config" file now contains:
---SNIP---
Host backup.ssh.internaldomain.com
	Hostname 1.2.3.4
	Port 22
	GSSAPIServerIdentity ssh.internaldomain.com
---SNAP---

When I try to ssh to "backup.ssh.internaldomain.com" gssapi authentication
fails now and I got the following tickets:

---SNIP---
-02/01/2013 13:09  03/01/2013 03:06  host/externaldomain.com@
	renew until 03/01/2013 13:09
02/01/2013 13:09  03/01/2013 03:06 
host/externaldomain.com at INTERNALDOMAIN.COM
	renew until 03/01/2013 13:09
--SNAP---

And this is where I don't know whats's wrong. I assume that normally
GSSAPI does a rDNS lookup of the IP it should connect to and requests a
TGS for the hostname it gets. And the purpose of "GSSAPIServerIdentity" is
to overide what it get's from rDNS and use the specified hostname instead.
This works from the inside VM. But from outside it looks like this
parameter gets ignored.

Do you have any suggestions? Is there any additional info I could check?

kind regards

nomike

More information about the Kerberos mailing list