Going across a firewall

Mauricio Tavares Tue, 06 Sep 2011 01:19:42 -0700

        Feeling rather stupid here. Let's say I have:

o 192.168.1.0/24 (internal)
        o realm DOMAIN.COM
        o kdc.internal.domain.com (192.168.1.100)
                o kdc.conf
                        allow-null-ticket-addresses = true
                o host principals for
                        o firewall
                        o kdc
                        o slavelinux
                        o externalbox
                o user principal for testuser
                o testuser also local user in kdc
                o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config
        o slavelinux.internal.domain.com (192.168.1.200)
                o testuser local user in slavelinux
                o kdc.keytab with slavelinux's host principal
                o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config
o 192.168.11.0/24 (external)
        o externalbox.domain.com (192.168.11.188)
                o in .ssh/config
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDns yes
  CheckHostIP no
                o testuser local user in externalbox
                o kdc.keytab with externalbox's host principal
                o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config
o Firewall
        o firewall.domain.com 192.168.11.10
        o firewall.internal.domain.com 192.168.1.1
        o port 88 (tcp/udp) forwarded to kdc
        o port 22 (tcp) forwarded to kdc


Creating a ticket on slavelinux as testuser and then ssh'ing to kdc
works fine. So, as testuser@externalbox, I do

testuser@externalbox:~$ kinit -f -A -p testuser
Password for testu...@domain.com:
testuser@externalbox:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: testu...@domain.com

Valid starting     Expires            Service principal
09/06/11 04:06:40  09/06/11 14:06:40  krbtgt/domain....@domain.com
        renew until 09/07/11 04:06:34
09/06/11 04:08:45  09/06/11 14:06:40  host/firewall.domain....@domain.com
        renew until 09/07/11 04:06:34
testuser@externalbox:~$

The log file in kdc shows the authentication taking place:

Sep  6 04:06:34 kdc krb5kdc[13460]: AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.11.188: NEEDED_PREAUTH: testu...@domain.com for
krbtgt/domain....@domain.com, Additional pre-authentication required
Sep  6 04:06:40 kdc krb5kdc[13460]: AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=23 tkt=18
ses=18}, testu...@domain.com for krbtgt/domain....@domain.com

Now, when I try to ssh from externalbox to the kdc, it seems that
gssapi-with-mic isn't working:

testuser@externalbox:~$ ssh -K -vvv testu...@firewall.domain.com
[...]
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.11.121.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testuser/.ssh/id_rsa
debug3: no such identity: /home/testuser/.ssh/id_rsa
debug1: Trying private key: /home/testuser/.ssh/id_dsa
debug3: no such identity: /home/testuser/.ssh/id_dsa
debug1: Trying private key: /home/testuser/.ssh/id_ecdsa
debug3: no such identity: /home/testuser/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
testuser@firewall's password:

What am I missing here?  The kdc log file tells me that

Sep  6 04:08:45 kdc krb5kdc[13460]: TGS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18
ses=18}, testu...@domain.com for host/firewall.domain....@domain.com
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Going across a firewall

Reply via email to